Test Security Advisories
Welcome to the new Rockwell Automation Security Advisory portal. Click here to read more about our security advisory initiative.
Filter Results
Showing
-
of
Results
Published Date:
October 17, 2025
Last Updated:
October 17, 2025
Revision Number:
2025-07-28 19:33
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
High
Published Date:
September 26, 2025
Last Updated:
September 26, 2025
CVE IDs:
CVE-2025-20352
Products:
Stratix
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Product Description
Rockwell Automation Stratix® devices are industrial Ethernet switches and network infrastructure components designed for rugged environments, offering managed and unmanaged options with integrated support for EtherNet/IP™, optimized configuration through Studio 5000®.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Stratix® 5700, Stratix® 5400, Statix 5410 |
CVE-2025-20352 |
Up to v15.2(8)E7 |
Expected October 2025 |
Stratix® 5200/ 5800 |
CVE-2025-20352 |
Up to v17.17.01 |
Expected March 2026 |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-20352 |
Impact |
A third-party vulnerability exists in the affected products. The affected products use Cisco IOS XE Software which contains a vulnerability in the Simple Network Management Protocol (SNMP) subsystem. An authenticated, remote attacker with low privileges could cause a denial of service (DoS) condition on an affected device that is running Cisco IOS Software or Cisco IOS XE Software. To cause the DoS, the attacker must have the SNMPv2c or earlier read-only community string or valid SNMPv3 user credentials. An authenticated, remote attacker with high privileges could execute code as the root user on an affected device that is running Cisco IOS XE Software. To execute code as the root user, the attacker must have the SNMPv1 or v2c read-only community string or valid SNMPv3 user credentials and administrative or privilege 15 credentials on the affected device. An attacker could exploit this vulnerability by sending a crafted SNMP packet to an affected device over IPv4 or IPv6 networks. This vulnerability is due to a stack overflow condition in the SNMP subsystem of the affected software. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. Note: This vulnerability affects all versions of SNMP. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Customers using the affected Stratix® software should see the workarounds section from Cisco and our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
9/26/2025 |
Initial release |
Glossary
- Simple Network Management Protocol (SNMP): Used for collecting and organizing information about managed devices on IP.
- Stack overflow: A runtime error that occurs when a program uses more stack memory than is available, typically due to excessive or infinite recursion or deeply nested function calls.
- Denial of Service (DoS): A malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a flood of traffic or triggering a crash.
- Cisco IOS (Internetwork Operating System): Proprietary software used on most Cisco routers and switches, providing the command-line interface and network services necessary for configuring, managing, and operating Cisco networking devices.
- ·Cisco IOS XE: A modern, modular operating system built on a Linux kernel that powers Cisco enterprise networking devices, offering enhanced programmability, security, and scalability while maintaining compatibility with traditional IOS command-line interfaces.
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
- Subscribe to product security alerts
- Review the current list of Rockwell Automation security advisories
- Report a possible security issue in a Rockwell Automation product
- Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
Published Date:
September 23, 2025
Last Updated:
September 23, 2025
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
- Subscribe to product security alerts
- Review the current list of Rockwell Automation security advisories
- Report a possible security issue in a Rockwell Automation product
- Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
Published Date:
September 23, 2025
Last Updated:
September 23, 2025
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
- Subscribe to product security alerts
- Review the current list of Rockwell Automation security advisories
- Report a possible security issue in a Rockwell Automation product
- Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 09, 2025
CVE IDs:
CVE-2025-9364
Products:
FactoryTalk® Analytics™ LogixAI®
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
FactoryTalk® Analytics™ LogixAI® from Rockwell Automation is an embedded machine learning solution that enables control engineers to deploy predictive models directly within Logix controllers.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
FactoryTalk® Analytics™ LogixAI® |
CVE-2025-9364 |
Versions 3.00 and 3.01 |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-9364 |
Impact |
An open database issue exists in the affected product and version. The security issue stems from an over permissive Redis instance. This could result in an attacker on the intranet accessing sensitive data and potential alteration of data. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere |
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Glossary
· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
· Redis Database: is an open-source, in-memory data structure store used as a database, cache, and message broker. It supports various data types like strings, hashes, lists, sets, and more, and is known for its high performance, low latency, and simplicity.
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
- Subscribe to product security alerts
- Review the current list of Rockwell Automation security advisories
- Report a possible security issue in a Rockwell Automation product
- Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 09, 2025
CVE IDs:
CVE-2025-9166
Products:
ControlLogix® 5580
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
The ControlLogix® 5580 controller from Rockwell Automation delivers high-speed, multi-discipline control for discrete, motion, process, and safety applications, featuring enhanced security, integrated motion over EtherNet/IP.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Affected Catalog Numbers |
ControlLogix® 5580 |
CVE-2025-9166 |
Version 35.013 |
|
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-9166 |
Impact |
A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Glossary
· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
· Denial-of-Service (DoS): An attack that disrupts the normal functioning of a system, often by overwhelming it with requests.
· Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
- Subscribe to product security alerts
- Review the current list of Rockwell Automation security advisories
- Report a possible security issue in a Rockwell Automation product
- Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 09, 2025
CVE IDs:
CVE-2025-9160
Products:
CompactLogix® 5480
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
The CompactLogix® 5480 controller from Rockwell Automation is a high-performance, real-time controller that combines Logix control with Windows 10 IoT Enterprise.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Affected Catalog Numbers |
CompactLogix® 5480 |
CVE-2025-9160 |
Version 32 - 37.011 w Windows package (2.1.0) Win10 v1607 |
N/A |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-9160 |
Impact |
A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Best security practices should be applied.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Glossary
· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
- Subscribe to product security alerts
- Review the current list of Rockwell Automation security advisories
- Report a possible security issue in a Rockwell Automation product
- Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 05, 2025
CVE IDs:
CVE-2025-7350
Products:
Stratix IOS
CVSS Scores (v3.1):
9.6
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Stratix® IOS Cross-Site Request Forgery to Code Execution Vulnerability
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
Product Description
Stratix® industrial Ethernet switches from Rockwell Automation provide high-performance network infrastructure optimized for industrial environments.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Affected Catalog Numbers |
Stratix IOS |
CVE-2025-7350 |
15.2(8)E5 and below
|
15.2(8)E6
|
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-7350 |
Impact |
A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. This can lead to remote code execution by uploading and running malicious configurations without authentication. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
Known Exploited Vulnerability |
No (Not listed in KEV database)
|
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Glossary
· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
· Remote Code Execution: allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 05, 2025
CVE IDs:
CVE-2020-28895
Products:
1783-NATR
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
1783-NATR Memory Size Calculation Underflow Vulnerability
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments. Please note Rockwell Automation could not confirm whether this vulnerability is exploitable; however, we are disclosing it in the interest of full transparency and proactive communication.
Product Description
1783-NATR is a configurable NAT router that simplifies machine integration into plant-wide networks by enabling 1:1 IP address translation, supporting Device Level Ring and linear topologies, and allowing configuration via web interface or Studio 5000 Add-on Profile.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Affected Catalog Numbers |
1783-NATR |
CVE-2020-28895 |
All Versions Prior to 1.007 |
1.007 |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2020-28895 |
Impact |
In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Glossary:
· Wind River VxWorks: A trusted and widely deployed real-time operating system (RTOS) for mission-critical embedded systems. Used in all NATR modules.
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 05, 2025
CVE IDs:
CVE-2025-9065
Products:
ThinManager
CVSS Scores (v3.1):
7.2
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
ThinManager® Server-Side Request Forgery Vulnerability
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
ThinManager is a centralized, secure thin client management software that delivers industrial visualization and application control across devices, helping optimize operations with scalable deployment and reduced IT overhead.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Affected Catalog Numbers |
ThinManager® |
CVE-2025-9065 |
13.0 - 14.0 |
14.1 |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-9065 |
Impact |
A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Glossary:
· SMB: Server Message Block, a protocol used for sharing files, printers, and other resources over a network
· NTLM: NT Lan Manager, a Windows authentication protocol
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices. Customers can also reference the following article from Microsoft to Block NTLM connections on SMB in Windows Server 2025.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 04, 2025
CVE IDs:
CVE-2025-7970
Products:
FactoryTalk Activation Manager
CVSS Scores (v3.1):
7.1
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
FactoryTalk Activation Manager Lack of Encryption Vulnerability
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
FactoryTalk Activation Manager is a secure software tool that enables activation and management of Rockwell Automation products without physical media, using internet-based activation files and multiple licensing options.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
FactoryTalk Activation Manager |
CVE-2025-7970 |
5.00 - 5.01 |
5.02 |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-7970 |
Impact |
A security issue exists within FactoryTalk Activation Manager. An error in the implementation of cryptography within the software could allow attackers to decrypt traffic. This could result in data exposure, session hijacking, or full communication compromise. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
CWE-303: Incorrect Implementation of Authentication Algorithm |
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
September 09, 2025
Last Updated:
September 05, 2025
CVE IDs:
CVE-2025-9161
Products:
FactoryTalk Optix
CVSS Scores (v3.1):
7.1
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
FactoryTalk Optix Remote Code Execution Vulnerability
The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.
Product Description
FactoryTalk Optix is a scalable, cloud-enabled visualization platform that lets you design, test, and deploy HMI applications across devices with modern templates, built-in collaboration tools, and OPC UA-based interoperability
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
FactoryTalk Optix |
CVE-2025-9161 |
All Versions 1.5.0 - 1.5.7 |
1.6.0 |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-9161 |
Impact |
A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
Critical
Published Date:
August 14, 2025
Last Updated:
August 14, 2025
CVE IDs:
CVE-2025-7972
Products:
FactoryTalk Linx
CVSS Scores (v3.1):
9.0
CVSS Scores (v4.0):
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.0/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Versions |
Corrected in Software Version |
FactoryTalk Linx |
CVE-2025-7972 |
All prior to 6.50 |
6.50 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-7972 IMPACT
A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to ‘development’, the attacker can disable FTSP token validation. This bypass allows access to create, update, and delete FTLinx drivers.
CVSS 3.1 Base Score: 9.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H
CWE: CWE-286: Incorrect User Management
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
- FTSP: (FactoryTalk Services Platform) facilitates communication between FactoryTalk® components, enabling data exchange and interaction across computers in a FactoryTalk directory
High
Published Date:
August 14, 2025
Last Updated:
August 14, 2025
CVE IDs:
CVE-2025-9041, CVE-2025-9042
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: See below
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
CVE
|
First Known in Firmware Version
|
Corrected in Firmware Version
|
5094-IF8
|
CVE-2025-9041
|
V2.011
|
V2.012 and later
|
5094-IY8
|
CVE-2025-9042
|
V2.011
|
V2.012 and later
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-9041
A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVE-2025-9042
A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
CIP: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology
Module: A self-contained unit within a system that performs a specific function and can operate independently or as part of a larger system
Inhibited: Temporarily disabled or prevented from operating.
High
Published Date:
August 14, 2025
Last Updated:
August 14, 2025
CVE IDs:
CVE-2025-7971
Products:
Studio 5000 Logix Designer
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 7.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Studio 5000 Logix Designer |
CVE-2025-7971 |
V36.00.02 |
V37.00.02 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-7971 IMPACT
A security issues exists within Studio 5000 Logix Designer due to unsafe handling of environment variables. If the specified path lacks a valid file, Logix Designer crashes; However, it may be possible to execute malicious code without triggering a crash.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Critical
Published Date:
August 14, 2025
Last Updated:
August 14, 2025
Products:
Micro800
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.8/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
CVE
|
Affected Product
|
First Known in Software Version
|
Corrected in Software Version
|
CVE-2023-48691
|
PLC Micro820 LC20
|
V14.011 and below
|
Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)
|
PLC Micro850 LC50
|
V12.013 and below
|
Migrate to Micro850 L50E V 23.011 and later
|
|
PLC Micro870 LC70
|
V12.013 and below
|
Migrate to Micro870 L70E V 23.011 and later
|
|
PLC - Micro850 L50E
|
V20.011 - V22.011
|
V23.011 and later
|
|
PLC – Micro870 L70E
|
V20.011 - V22.011
|
V23.011 and later
|
|
CVE-2023-48692
|
PLC Micro820 LC20
|
V14.011 and below
|
Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)
|
PLC Micro850 LC50
|
V12.013 and below
|
Migrate to Micro850 L50E V 23.011 and later
|
|
PLC Micro870 LC70
|
V12.013 and below
|
Migrate to Micro870 L70E V 23.011 and later
|
|
PLC - Micro850 L50E
|
V20.011 - V22.011
|
V23.011 and later
|
|
PLC – Micro870 L70E
|
V20.011 -V22.011
|
V23.011 and later
|
|
CVE-2023-48693
|
PLC Micro820 LC20
|
V14.011 and below
|
Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)
|
PLC Micro850 LC50
|
V12.013 and below
|
Migrate to Micro850 L50E V 23.011 and later
|
|
PLC Micro870 LC70
|
V12.013 and below
|
Migrate to Micro870 L70E V 23.011 and later
|
|
PLC - Micro850 L50E
|
V20.011 -V22.011
|
V23.011 and later
|
|
PLC – Micro870 L70E
|
V20.011 - V22.011
|
V23.011 and later
|
|
CVE-2025-7693
|
PLC - Micro850 L50E
|
V20.011 - V22.011
|
V23.011 and later
|
PLC – Micro870 L70E
|
V20.011 -V22.011
|
V23.011 and later
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-48691 IMPACT
Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause an out-of-bounds write in Azure RTOS NETX Duo, that could lead to remote code execution. The affected components include a process related to IGMP protocol in RTOS v6.2.1 and below. The fix has been included in NetX Duo release 6.3.0. Users are advised to upgrade.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2023-48692 IMPACT
Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause remote code execution due to memory overflow vulnerabilities in Azure RTOS NETX Duo. The affected components include processes/functions related to icmp, tcp, snmp, dhcp, nat and ftp in RTOS v6.2.1 and below. The fixes have been included in NetX Duo release 6.3.0. Users are advised to upgrade.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2023-48693 IMPACT
Azure RTOS ThreadX is an advanced real-time operating system (RTOS) designed specifically for deeply embedded applications. An attacker can cause arbitrary read and write due to vulnerability in parameter checking mechanism in Azure RTOS ThreadX, which may lead to privilege escalation. The affected components include RTOS ThreadX v6.2.1 and below. The fixes have been included in ThreadX release 6.3.0. Users are advised to upgrade.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2025-7693 IMPACT
A security issue exists due to improper handling of malformed CIP Forward Close packets during fuzzing. The controller enters a solid red Fault LED state and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF015. To recover, clear the fault.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
TCP/IP: language computers use to talk to each other on a network or the internet
IoT: network of physical devices, like thermostat, fridge, or car
Remote Code Execution: allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks
IGMP: (Internet Group Management Protocol) Used by IP hosts and adjacent routers to establish multicast group memberships.
ICMP: (Internet Control Message Protocol) Used for sending error messages and operational information, such as when a service is unavailable or a host/router cannot be reached.
TCP: (Transmission Control Protocol) A connection-oriented protocol that ensures reliable data transmission between devices.
SNMP: (Simple Network Management Protocol) Used for collecting and organizing information about managed devices on IP.
DHCP: (Dynamic Host Configuration Protocol) Automatically assigns IP addresses and other network configuration parameters to devices on a network, allowing them to communicate effectively.
NAT: (Network Address Translation) A method used to remap IP addresses by modifying network address information in packet headers.
FTP: (File Transfer Protocol) uses two primary ports for its operations: Port 21 and Port 20. These ports play distinct roles in facilitating file transfers between clients and servers.
Parameter: setting or value that helps define how data is transmitted, received, or managed across a network
CIP: (Common Industrial Protocol) a communication protocol designed for automation applications in industrial settings
Fuzzing: a technique that focuses on discovering vulnerabilities by providing a large amount of random and unexpected data inputs to a software system to trigger faults and find implementation bugs
High
Published Date:
August 14, 2025
Last Updated:
August 14, 2025
CVE IDs:
CVE-2025- 7773, CVE-2025- 7774
Products:
ArmorBlock 5000 I/O
CVSS Scores (v3.1):
8.6
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.6/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
CVE-2025-7773 |
1.011 |
1.012 |
|
CVE-2025-7774 |
1.011
|
1.012
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025- 7773
A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.
CVSS 3.1 Base Score: 8.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CWE: CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No
CVE-2025- 7774
A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions.
CVSS 3.1 Base Score: 8.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CWE: CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Critical
Published Date:
August 14, 2025
Last Updated:
August 14, 2025
CVE IDs:
CVE-2025-7353
Products:
ControlLogix® Ethernet Modules
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.8/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Versions |
Corrected in Software Version |
1756-EN2T/D |
CVE-2025-7353 |
Version 11.004 or below |
12.001 |
1756-EN2F/C |
CVE-2025-7353 |
Version 11.004 or below |
12.001 |
1756-EN2TR/C |
CVE-2025-7353 |
Version 11.004 or below |
12.001 |
1756-EN3TR/B |
CVE-2025-7353 |
Version 11.004 or below |
12.001 |
1756-EN2TP/A |
CVE-2025-7353 |
Version 11.004 or below |
12.001 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-7353 IMPACT
A security issue exists due to the web-based debugger agent enabled on released devices. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1188: Initialization of a Resource with an Insecure Default
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
High
Published Date:
August 13, 2025
Last Updated:
August 13, 2025
CVE IDs:
CVE-2025-7973
Products:
FactoryTalk® ViewPoint
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
CVE
|
Affected Software Version
|
Corrected in Software Version
|
FactoryTalk Viewpoint
|
CVE-2025-7973
|
Version 14.00 or below
|
15.00
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-7973 IMPACT
A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-268: Privilege Chaining
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
MSI: Microsoft Installer (MSI) file is a package format used for installing, maintaining, and removing software on Windows systems.
Cscript.exe: command-line utility in Windows used to run scripts written in VBScript or JScript.
SYSTEM Privileges: SYSTEM privileges refer to the highest level of access on a Windows machine, allowing full control over all system resources and processes.
High
Published Date:
August 13, 2025
Last Updated:
August 13, 2025
CVE IDs:
CVE-2025-7532
Products:
FactoryTalk Action Manager
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
CVE
|
Affected Software Versions
|
Corrected in Software Version
|
FactoryTalk® Action Manager
|
CVE-2025-9036
|
1.0.0
|
1.01
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-9036 IMPACT
A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: Exposure of Sensitive Information to an Unauthorized Actor
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary:
API: (Application Programming Interface) is a set of protocols and tools that allow different software applications to communicate with each other
WebSocket: protocol used for communication between a client and a server over a single connection
High
Published Date:
August 13, 2025
Last Updated:
August 13, 2025
CVE IDs:
CVE-2025-8007 , CVE-2025-8008
Products:
ControlLogix EtherNet/IP Network Devices
CVSS Scores (v3.1):
6.5
CVSS Scores (v4.0):
7.1
Revision Number:
2.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
1756-EN4TR, EN4TRXT - Multiple Vulnerabilities
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
Product Description
The 1756-EN4TR, and 1756-EN4TRXT are high-performance ControlLogix EtherNet/IP communication modules that support advanced topologies like Device Level Ring and Parallel Redundancy Protocol, with scalable connection capacities and environmental ratings to meet standard, high-demand, and extreme industrial networking needs.
Affected products and solution
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Affected Catalog Numbers |
1756-EN4TR 1756-EN4TRXT |
CVE-2025-8007 |
Version 6.001 or Prior |
Version 7.001 or later |
|
1756-EN4TR 1756-EN4TRXT |
CVE-2025-8008 |
Version 6.001 or Prior |
Version 7.001 or later |
Security Issue Details
Category |
Details |
CVE ID |
CVE-2025-8007 |
Impact |
A security issue exists in the protected mode of 1756-EN4TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. This condition may lead to unexpected system crashes and loss of device availability. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Category |
Details |
CVE ID |
CVE-2025-8008 |
Impact |
A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash. |
CVSS 3.1 Base Score |
|
CVSS 4.0 Base Score |
|
CWEs |
|
Known Exploited Vulnerability |
No (Not listed in KEV database) |
Glossary:
· Major Non-Recoverable: critical fault condition within industrial control systems
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.
Revision History
Revision |
Date |
Description |
1.0 |
September 9, 2025 |
Initial release |
2.0 |
September 15, 2025 |
Affected Product Update |
Get Up-to-Date Product Security Information
Visit the Rockwell Automation security advisories on the Trust Center page to:
· Subscribe to product security alerts
· Review the current list of Rockwell Automation security advisories
· Report a possible security issue in a Rockwell Automation product
· Learn more about the Rockwell Automation vulnerability policy
Support
If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.
If you have any questions regarding this disclosure, please contact PSIRT
Email: rasecure@ra.rockwell.com
Legal Disclaimer
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.
High
Published Date:
August 05, 2025
Last Updated:
August 05, 2025
CVE IDs:
CVE-2025-7025, CVE-2025-7032, CVE-2025-7033
Products:
Arena® Simulation
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/5/2025
Last Updated: 8/5/2025
Revision Number: 1.0
CVSS Score: 8.4/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Arena® Simulation |
CVE-2025-7025 |
16.20.09 and prior |
|
CVE-2025-7032 |
16.20.09 and prior |
||
CVE-2025-7033 |
16.20.09 and prior |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues. The vulnerabilities were reported by Michael Heinzl.
CVE-2025-7025 IMPACT
A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2025-7032 IMPACT
A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
CVE-2025-7033 IMPACT
A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-122: Heap-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Glossary
· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Critical
Published Date:
July 16, 2025
Last Updated:
July 16, 2025
CVE IDs:
CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239
CVSS Scores (v3.1):
9.3, 7.1
CVSS Scores (v4.0):
9.4, 8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 7/16/2025
Last updated:7/16/2025
Revision Number: 1.0
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Versions |
Corrected in software version |
Industrial Data Center (IDC) with VMware |
Generations 1 – 4 |
Refer to Mitigations and Workarounds |
VersaVirtual Appliance (VVA) with VMware |
Series A & B |
Refer to Mitigations and Workarounds |
Threat Detection Managed Services (TDMS) with VMware |
All |
Refer to Mitigations and Workarounds
|
Endpoint Protection Service with Rockwell Automation Proxy & VMware only |
All |
Refer to Mitigations and Workarounds
|
Engineered and Integrated Solutions with VMware |
All |
|
Remediations and Workarounds
Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:
Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.
Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below :
· Support Content Notification - Support Portal - Broadcom support portal
Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
VULNERABILITY DETAILS
Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-41236
An integer-overflow vulnerability exists in the VMXNET3 virtual network adapter used in VMware ESXi, Workstation, and Fusion. Exploitation of this vulnerability can lead to code execution on the host.
CVSS 3.1 Base Score: 9.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.4
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Known Exploited Vulnerability (KEV) database: No
CVE-2025-41237
An integer-underflow vulnerability exists in the Virtual Machine Communication Interface (VMCI) of VMware ESXi, Workstation, and Fusion, which can lead to an out-of-bounds write. Exploitation of this vulnerability can lead to code execution on the host.
CVSS 3.1 Base Score: 9.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.4
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Known Exploited Vulnerability (KEV) database: No
CVE-2025-41238
A heap-overflow vulnerability exists in the Paravirtualized SCSI (PVSCSI) controller of VMware ESXi, Workstation, and Fusion, which can lead to an out-of-bounds write. Exploitation of this vulnerability can lead to code execution on the host.
CVSS 3.1 Base Score: 9.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.4
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Known Exploited Vulnerability (KEV) database: No
CVE-2025-41239
An information disclosure vulnerability exists in vSockets due to the use of uninitialized memory in VMware ESXi, Workstation, Fusion, and VMware Tools. Exploitation of this vulnerability can result in the leakage of memory from processes communicating with vSockets.
CVSS 3.1 Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 Base Score: 8.2
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
Glossary:
- VMXNET3: virtual network adapter optimized for VMware environments
- VMware ESXi: hypervisor that enables virtualization of servers
- VMware Workstation: desktop application that allows users to run multiple operating systems as virtual machines on a single PC
- VMware Fusion: a macOS application that enables users to run Windows and other operating systems within a virtual environment
- Code execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
- Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
July 09, 2025
Last Updated:
July 09, 2025
CVE IDs:
CVE-2025-6377 , CVE-2025-6376
Products:
Arena®
CVSS Scores (v3.1):
7.0, 7.8
CVSS Scores (v4.0):
8.4, 7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 7/9/2025
Last Updated: 7/9/2025
Revision Number: 1.0
CVSS Score: 7.1/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Software - Arena® |
CVE-2025-6377 |
16.20.08 and earlier |
16.20.09 and later |
Software - Arena® |
16.20.08 and earlier |
16.20.09 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerability. The vulnerability was reported by Zero Day Initiative (ZDI).
CVE-2025-6377 IMPACT
A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.
ZDI CVSS Score
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Rockwell CVSS Score:
CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
CVE-2025-6376 IMPACT
A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.
ZDI CVSS Score
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Rockwell CVSS Score
CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Glossary
DOE File: A DOE file, or Design of Experiments file, is a document used to plan and organize an experiment efficiently. It helps in systematically arranging tests and analyzing the effects of multiple factors and their interactions on a response variable.
Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Critical
Published Date:
May 14, 2025
Last Updated:
May 14, 2025
CVE IDs:
CVE-2018-1285
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: 5/15/2025
Last updated: 5/15/2025
Revision Number: 1.0
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
95057C-FTHTWXCT11 |
<= v4.02.00 |
v5.00.00 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2018-1285
A vulnerability has been identified in the third-party Apache log4net software, impacting the FactoryTalk® Historian-ThingWorx Connector. This issue arises because versions of Apache log4net prior to 2.0.10 fail to disable XML external entities during the parsing of log4net configuration files. Consequently, a threat actor could exploit this to launch XX-based attacks on applications that accept malicious log4net configuration files.
CVSS 3.1 Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: no
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Update to the corrected version if possible. Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
Published Date:
April 17, 2025
Last Updated:
April 17, 2025
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
High
Published Date:
April 15, 2025
Last Updated:
April 23, 2025
CVE IDs:
CVE-2025-3617 , CVE-2025-3618
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Software - ThinManager |
CVE-2025-3617 |
14.0.0 & 14.0.1 |
v14.0.2 and later |
Software - ThinManager |
CVE-2025-3618 |
v14.0.1 and earlier |
v11.2.11, 12.0.9, 12.1.10, 13.0.7, 13.1.5, 13.2.4, 14.0.2 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Zero Day Initiative (ZDI).
CVE-2025-3617 IMPACT
A privilege escalation vulnerability exists in the affected product. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: 276 - Incorrect Default Permissions
Known Exploited Vulnerability (KEV) database: No
CVE-2025-3618 IMPACT
A denial-of-service vulnerability exists in the affected product. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: 119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
High
Published Date:
April 07, 2025
Last Updated:
April 07, 2025
CVE IDs:
CVE-2025-2285, CVE-2025-2286, CVE-2025-2287, CVE-2025-2288, CVE-2025-2293, CVE-2025-2829, CVE-2025-3285, CVE-2025-3286, CVE-2025-3287, CVE-2025-3288, CVE-2025-3289
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 4/8/2025
Last updated: 4/8/2025
Revision Number: 1.0
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
Arena® |
16.20.08 and earlier |
16.20.09 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.
CVE-2025-2285
A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE- 457 Uninitialized Variable
CVE-2025-2286
A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE- 457 Uninitialized Variable
CVE-2025-2287
A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE- 457 Uninitialized Variable
CVE-2025-2288
A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 787 - Out of Bounds Write
CVE-2025-2293
A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 787 - Out of Bounds Write
CVE-2025-2829
A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 787 - Out of Bounds Write
CVE-2025-3285
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3286
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3287
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3288
A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE-125 Out of Bounds Read
CVE-2025-3289
A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVSS 3.1 Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
CWE: CWE 121 – Stack-based Buffer Overflow
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
March 24, 2025
Last Updated:
March 24, 2025
CVE IDs:
CVE-2020-27212
Products:
440G TLS-Z
CVSS Scores (v3.1):
7.0
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Published Date: 3/25/2025
Revision Number: 1.0
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Versions |
Corrected in Software Version |
440G TLS-Z |
v6.001 |
n/a – see mitigations |
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Limit physical access to authorized personnel: Control room, cells/areas, control panels, and devices. See Chapter 4, Harden the Control System of System Security Design Guidelines
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE 2020-27212 IMPACT
A local code execution vulnerability exists in the STMicroelectronics STM32L4 devices due to having incorrect access controls. The affected product utilizes the STMicroelectronics STM32L4 device and because of the vulnerability, a threat actor could reverse protections that control access to the JTAG interface. If exploited, a threat actor can take over the device.
CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE:1395-Dependency of a third-party Component & CWE 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CPE: cpe:2.3:h:st:stm32l431rc:-:*:*:*:*:*:*:*
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Critical
Published Date:
March 21, 2025
Last Updated:
March 21, 2025
CVE IDs:
CVE-2025-23120
CVSS Scores (v3.1):
9.9
CVSS Scores (v4.0):
9.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities
Published Date: 03/21/25
Last updated: 03/27/25
Revision Number: 1.0
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Versions |
Corrected in Software Revision |
Industrial Data Center (IDC) with Veeam |
Generations 1 – 5 |
Refer to Remediation and Workarounds |
VersaVirtual™ Appliance (VVA) with Veeam |
Series A - C |
Refer to Remediation and Workarounds |
REMEDIATIONS AND WORKAROUNDS
Users with an active Rockwell Automation Infrastructure Managed Service contract:
Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.
Users without Rockwell Automation managed services contract, refer to Veeam’s advisories below:
· Support Content Notification - Support Portal – Veeam support portal
· https://www.veeam.com/kb4724
Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
VULNERABILITY DETAILS
Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-23120
A remote code execution vulnerability exists in Veeam Backup & Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.
CVSS 3.1 Base Score: 9.9
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.4
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Known Exploited Vulnerability (KEV) database: No
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
Critical
Published Date:
March 20, 2025
Last Updated:
March 20, 2025
CVE IDs:
CVE-2025-1449
CVSS Scores (v3.1):
9.1
CVSS Scores (v4.0):
8.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 3/25/25
Revision Number: 1.0
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
Affected Version(s)
|
Corrected in Software Revision
|
Verve Asset Manager
|
<=1.39
|
V1.40
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-1449 IMPACT
A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.
CVSS Base Score v3.1: 9.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Base Score v4.0: 8.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE: CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Critical
Published Date:
March 07, 2025
Last Updated:
March 07, 2025
CVE IDs:
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
CVSS Scores (v3.1):
9.3, 8.2, 7.1
CVSS Scores (v4.0):
9.4, 9.3, 8..2
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency to improve all business environment.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Versions |
Corrected in software version |
Industrial Data Center (IDC) with VMware |
Generations 1 – 4 |
Refer to Mitigations and Workarounds |
VersaVirtual™ Appliance (VVA) with VMware |
Series A & B |
Refer to Mitigations and Workarounds |
Threat Detection Managed Services (TDMS) with VMware |
All |
Refer to Mitigations and Workarounds
|
Endpoint Protection Service with RA PRoxy & VMware only |
All |
Refer to Mitigations and Workarounds
|
Engineered and Integrated Solutions with VMware |
All |
|
Remediations and Workarounds
Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:
Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.
Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below:
· Support Content Notification - Support Portal - Broadcom support portal
Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
VULNERABILITY DETAILS
Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-22224
A Time of Check Time of use (TOCTOU) vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with local administrative privileges to execute code as the virtual machine's VMX process running on the host.
CVSS 3.1 Base Score: 9.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.4
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Known Exploited Vulnerability (KEV) database: Yes
CVE-2025-22225
A code execution vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with privileges within the VMX process trigger an arbitrary kernel write, leading to an escape of the sandbox.
CVSS 3.1 Base Score: 8.2
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Known Exploited Vulnerability (KEV) database: Yes
CVE-2025-22226
An out of bounds vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with administrative privileges to leak memory from the vmx process.
CVSS 3.1 Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVSS 4.0 Base Score: 8.2
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: Yes
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
Critical
Published Date:
January 29, 2025
Last Updated:
January 29, 2025
CVE IDs:
CVE-2025-0477 , CVE-2025-0497, CVE-2025-0498
CVSS Scores (v3.1):
9.8, 7.0, 7.8
CVSS Scores (v4.0):
9.3, 7.3, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Versions |
Corrected Version |
FactoryTalk® AssetCentre |
CVE-2025-0477 |
All prior to V15.00.001 |
|
V11, V12, and V13 (patch available) |
|||
CVE-2025-0498 |
V15.00.01 and later |
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
For CVE-2025-0477:
o Update FactoryTalk® AssetCentre to v15.00.01 or later.
o The encrypted data is stored in a table in the database. Control access to the database by non-essential users.
For CVE-2025-0497
o Update FactoryTalk® AssetCentre to v15.00.01 or later.
o Apply patches to correct legacy versions:
§ To apply the patch for LogCleanUp or ArchiveLogCleanUp download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later
§ To apply patches for EventLogAttachmentExtractor or ArchiveExtractor, locate the article BF31148, download the patch files and follow the instructions.
o Restrict physical access to the machine to authorized users.
For CVE-2025-0498
o Update FactoryTalk® AssetCentre to v15.00.01 or later.
o Apply patches to correct legacy versions:
§ To apply the patch for download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later
o Restrict physical access to the machine to authorized users.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
VULNERABILITY DETAILS
CVE-2025-0477 and CVE-2025-0497 reported to Rockwell Automation by Nestlé - Alban Avdiji. CVE-2025-0498 was found internally by Rockwell Automation during routine testing. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-0477 IMPACT
An encryption vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-326: Inadequate Encryption Strength
Known Exploited Vulnerability (KEV) database: No
CVE-2025-0497 IMPACT
A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.
CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No
CVE-2025-0498 IMPACT
A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No
Critical
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-0659, CVE-2020-11656
CVSS Scores (v3.1):
5.5, 9.8
CVSS Scores (v4.0):
7.0, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
DataEdgePlatform DataMosaix™ Private Cloud |
CVE-2025-0659 |
<=7.11 |
7.11.01 |
DataEdgePlatform DataMosaix™ Private Cloud |
CVE-2020-11656 |
<=7.09 |
7.11.01 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-0659 IMPACT
A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.
CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No
CVE-2020-11656 IMPACT
The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
High
Published Date:
January 28, 2025
Last Updated:
January 30, 2025
CVE IDs:
CVE-2025-24478
CVSS Scores (v3.1):
6.5
CVSS Scores (v4.0):
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product(s) |
First Known in Software Version |
Corrected in Software Version |
GuardLogix 5580 Compact GuardLogix 5380 SIL3 |
V33.011 |
V33.017, V34.014, V35.013, V36.011 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-24478 IMPACT
A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.
CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Restrict Access to the task object via CIP Security and Hard Run.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Critical
Published Date:
January 28, 2025
Last Updated:
February 05, 2025
CVE IDs:
CVE-2025-24479, CVE-2025-24480
CVSS Scores (v3.1):
8.4, 9.8
CVSS Scores (v4.0):
8.6, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Version(s) |
Corrected in Software Version |
FactoryTalk® View Machine Edition |
CVE-2025-24479 |
< V15 |
V15 and Patch for V12, V13, V14 (AID 1152309) |
CVE-2025-24480
|
< V15
|
V15 and patch for V12, V13, V14 (AID 1152571) |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-24479 IMPACT
A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.
CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No
CVE-2025-24480 IMPACT
A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· CVE-2025-24479:
· Upgrade to V15.00 or apply patch in AID 1152309
· Control physical access to the system
· CVE-2025-24480:
· Upgrade to V15.00 or apply patch in AID 1152571
· Protect network access to the device
· Strictly constrain the parameters of invoked functions
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
High
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-24481, CVE-2025-24482
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Version(s) |
Corrected in Software Version |
FactoryTalk® View SE |
CVE-2025-24481 |
< V15.0 |
V15.0, and patch for v14 (AID 1152306) |
CVE-2025-24482 |
< V15.0 |
V15.0, and patches for V12, V13, V14 (1152304) |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-24481 IMPACT
An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No
CVE-2025-24482 IMPACT
A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
CWE-94: Improper Control of Generation of Code ('Code Injection')
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For CVE-2025-24481:
· Upgrade to V15 or apply patch. Answer ID 1152306
· Protect physical access to the workstation
· Restrict access to port 8091 at the network or workstation
· For CVE-2025-24482:
· Upgrade to V15 or apply patch. Answer ID 1152304.
· Check the environment variables (PATH), and make sure FactoryTalk® View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) is before all others
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
High
Published Date:
January 28, 2025
Last Updated:
August 06, 2025
CVE IDs:
CVE-2023-3825
Products:
KEPServer
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Versions |
Fixed Version |
KEPServer |
CVE-2023-3825 |
6.0 - 6.14.263 |
6.15 |
SECURITY ISSUE DETAILS
Rockwell Automation received a report from PTC regarding a security issue discovered by Security Researchers of Claroty Team82.
Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.
CVE-2023-3825 IMPACT
KEPServerEX Versions 6.0 to 6.14.263 are open to being made to read a repeatedly defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be stored to create complex arrays. It does not apply a check to see if such an object is recursively defined. An attacker could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software should use risk mitigations.
· For information on Security Risks and how to reduce risks, customers should use our suggested security best practices.
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
ADDITIONAL RESOURCES
· CS405439 - Security vulnerabilities identified in PTC Kepware products - November 2023
Glossary:
Claroty Team82: a research arm that provides vulnerability and threat research to customers and defenders of industrial networks worldwide
KEPServerEX: connectivity platform that provides a single source of industrial automation
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-0631
Products:
PowerFlex 755
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Version(s) |
Fixed Version |
PowerFlex® 755 |
<=16.002.279 |
v20.3.407 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2025-0631 IMPACT
A Credential Exposure Vulnerability exists in the above-mentioned product and version. The vulnerability is due to using HTTP resulting in credentials being sent in clear text.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-319: Cleartext Transmission of Sensitive Information
Known Exploited Vulnerability (KEV) database: None
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Critical
Published Date:
December 17, 2024
Last Updated:
December 17, 2024
CVE IDs:
CVE-2024-12371 , CVE-2024-12372 , CVE-2024-12373
CVSS Scores (v3.1):
9.8, 9.8, 9.8
CVSS Scores (v4.0):
9.3, 9.3, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: December 17, 2024
Last updated: August 6, 2025
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10
AFFECTED PRODUCTS AND SOLUTION
Affected Products |
Affected firmware revision |
Corrected in firmware revision |
PM1k 1408-BC3A-485 |
<4.020 |
4.020 |
PM1k 1408-BC3A-ENT |
<4.020 |
4.020 |
PM1k 1408-TS3A-485 |
<4.020 |
4.020 |
PM1k 1408-TS3A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM3A-485 |
<4.020 |
4.020 |
PM1k 1408-EM3A-ENT |
<4.020 |
4.020 |
PM1k 1408-TR1A-485 |
<4.020 |
4.020 |
PM1k 1408-TR2A-485 |
<4.020 |
4.020 |
PM1k 1408-EM1A-485 |
<4.020 |
4.020 |
PM1k 1408-EM2A-485 |
<4.020 |
4.020 |
PM1k 1408-TR1A-ENT |
<4.020 |
4.020 |
PM1k 1408-TR2A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM1A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM2A-ENT |
<4.020 |
4.020 |
SECURTIY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following security issues. The following issues were reported by Vera Mens of Claroty Research - Team82.
CVE-2024-12371 IMPACT
A device takeover security issue exists in the affected product. This allows configuration of a new Policyholder user without any authentication via API. A policyholder user is the most privileged user that can perform edit operations. This creates admin users and performs a factory reset.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-420: Unprotected Alternate Channel
CVE-2024-12372 IMPACT
A denial-of-service and possible remote code execution security issue exists in the affected product. This issue results in corruption of the heap memory which may compromise the integrity of the system. This could allow a remote code execution or a denial-of-service attack.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-122: Heap-based Buffer Overflows
CVE-2024-12373 IMPACT
A denial-of-service security issue exists in the affected product. This results in a buffer-overflow which could cause a denial-of-service.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
Customers using the affected software that can't upgrade to one of the corrected version should use the security best practices.
Glossary
Buffer Overflow: when a program writes more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory locations
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
December 04, 2024
Last Updated:
December 19, 2024
CVE IDs:
CVE-2024-11155 , CVE-2024-11156 , CVE-2024-11158 , CVE-2024 -12130 , CVE-2024-11157, CVE-2024-12672, CVE-2024-11364, CVE-2024-12175
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: 12/04/24
Last updated: August 6, 2025
Revision Number: 2.0
CVSS Score: v3.1: 7.8, v4.0 8.5
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Software - Arena
|
CVE-2024-11155 |
All versions 16.20.00 and prior |
V16.20.06 and later |
CVE-2044-11156
|
All versions 16.20.03 and prior |
V16.20.06 and later |
|
CVE-2024-11158
|
All versions 16.20.00 and prior |
V16.20.06 and later |
|
All versions 16.20.05 and prior |
V16.20.06 and later
|
||
CVE-2024-11157
|
All versions 16.20.06 and prior |
V16.20.07 and later
|
|
CVE-2024-12175
|
All versions 16.20.06 and prior |
V16.20.07 and later |
|
Software – Arena® 32 bit |
|
All versions 16.20.07 and prior |
n/a – see mitigations |
CVE-2024-11364
|
All versions 16.20.06 and prior |
V16.20.07 and later |
SECURITY ISSUE DETAILS
Rockwell Automation useS the latest version of the CVSS scoring system to assess the security issues. These security issues were reported by ZDI (Zero Day Initiative).
CVE-2024-11155 IMPACT
A “use after free” code execution security issue exists in the affected products. These could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this issue to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-416 Use After Free
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11156 IMPACT
An “out of bounds write” code execution security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11158 IMPACT
An “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-665 Improper Initialization
Known Exploited Vulnerability (KEV) database: No
CVE-2024-12130 IMPACT
An “out of bounds read” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11157
A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395 Dependency on third-party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11364
Another “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395 Dependency on third-party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2024-12175
Another “use after free” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-416 Use After Free
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software should use the risk mitigations.
- Do not load untrusted Arena® model files.
- Hold the control key down when loading files to help prevent the VBA file stream from loading.
For information on how to mitigate Security Risks, use our suggested security best practices.
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories
Glossary
DOE file: store model data using a Microsoft Compound File format, which acts as a container for several data streams
Out of bounds read vulnerability: when a program reads data from a memory location outside the bounds of a array or buffer
Out of bounds write code vulnerability: a software vulnerability where a program writes beyond the bounds of an allowed area of memory
Third-party vulnerability: a weakness or flaw in an external vendor, supplier, or service provider’s system, process, or software that can be exploited to compromise the security of a connected organization.
Uninitialized variable vulnerability: occurs when a program accesses a variable before it has been initialized
Use-After-Free (UAF) vulnerability: a type of memory corruption vulnerability that occurs when a program continues to access memory locations that have already been freed.
High
Published Date:
November 14, 2024
Last Updated:
November 14, 2024
CVE IDs:
CVE-2024-37287
CVSS Scores (v3.1):
7.2
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: 11/14/24
Last updated: 11/14/24
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.4/10
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | Affected Version(s) | Corrected in Software Revision |
| Verve Reporting | <v1.39 | V1.39 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-37287 IMPACT
Verve Reporting utilizes Kibana which contains a remote code execution vulnerability that allows an attacker with access to ML and Alerting connecting features as well as write access to internal ML to trigger a prototype pollution vulnerability, which can ultimately lead to arbitrary code execution. The code execution is limited to the container.
CVSS Base Score v3.1: 7.2/10
CVSS Vector CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS Base Score v4.0: 8.6/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Restrict Access to Built-in Verve Account
- Access to the built-in "verve" account should be limited to only administrators who need to perform administrative functions and should only be used for administrative purposes. Separate accounts should be used for day-to-day functions.
- Change the password for the built-in "verve" account if it has been shared.
- Restrict Privileges for Other Accounts
- Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
- all-all
- feature-all-all
- Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
- Disable Machine Learning
- Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
- Connect to the Reporting server via SSH or terminal.
- Copy the Elasticsearch configuration override to the working directory.
- docker exec $(docker ps --filter "name=Reporting_elasticsearch" --format "{{ .ID }}") cat /usr/share/elasticsearch/config-templates/elasticsearch.override.yml > elasticsearch.override.yml
- Add the following line and save.
- xpack.ml.enabled: false
- Disable Verve Reporting from the Verve Software Manager.
- Update the Elasticsearch configuration override.
- docker config rm elasticsearchymloverride
docker config create elasticsearchymloverride ./elasticsearch.override.yml
- docker config rm elasticsearchymloverride
- Enable Verve Reporting from the Verve Software Manager and confirm that the application starts and "Machine Learning" is no longer listed in the main navigation bar under Analytics.
- Delete the copy of the Elasticsearch configuration override.
- rm elasticsearch.override.yml
- Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
High
Published Date:
November 14, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-6068
Products:
Arena® Input Analyzer
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 11/14/2024
Revision Number: 1.0
CVSS Score: 3.1: 7.3/10, 4.0: 7.0/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Version |
Corrected in Software Version |
Arena® Input Analyzer |
16.20.03 and prior |
16.20.04 |
VULNERABILITY DETAILS
These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6068 IMPACT
A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE 1284 Improper Validation of Specified Quantity in Input
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
High
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
CVE IDs:
CVE-2024-37365
Products:
FactoryTalk View Machine Edition
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: November 12th, 2024
Last updated: November 12th, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Revision |
Corrected in Software Revision |
FactoryTalk View ME |
>= V14; when using default folders privileges |
V15 |
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
· To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.
· Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.
· Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”. Security Best Practices
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-37365 IMPACT
A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.
CVSS 3.1 Base Score: 7.3/10
CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.0/10
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
Critical
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
CVE IDs:
CVE-2024-10943, CVE-2024-10944, CVE-2024-10945
Products:
FactoryTalk Updater
CVSS Scores (v3.1):
9.1, 8.4, 7.3
CVSS Scores (v4.0):
9.1, 7.1, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
FactoryTalk® Updater – Web Client
|
CVE-2024-10943 |
v4.00.00 |
v4.20.00 |
FactoryTalk® Updater – Client
|
CVE-2024-10944 |
All version |
V4.20.00 |
FactoryTalk® Updater – Agent
|
CVE-2024-10945 |
All version
|
V4.20.00 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-10943 IMPACT
An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.
CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE: CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No
CVE-2024-10944 IMPACT
A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.
CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Control access to the server where FactoryTalk® Updater is running.
· Click the ‘Scan’ button, which will update the database
CVE-2024-10945 IMPACT
A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Critical
Published Date:
October 25, 2024
Last Updated:
October 25, 2024
CVE IDs:
CVE-2024-10386, CVE-2024-10387
Products:
FactoryTalk ThinManager
CVSS Scores (v3.1):
9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7
Revision Number:
1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
ThinManager® Multiple Vulnerabilities
Published Date: 10/25/2024
Last Updated: 10/25/2024
Revision Number: 1.0
CVSS Score: Multiple, see below
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | Affected Version(s) | Corrected Version(s) |
| ThinManager® | 11.2.0-11.2.9 12.0.0-12.0.7 12.1.0-12.1.8 13.0.0-13.0.5 13.1.0-13.1.3 13.2.0-13.2.2 14.0.0 |
11.2.10 12.0.8 12.1.9 13.0.6 13.1.4 13.2.3 14.0.1 Available here: ThinManager Downloads | ThinManager ® |
VULNERABILITY DETAILS
The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.
CVE-2024-10386 IMPACT
An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No
CVE-2024-10387 IMPACT
A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.
If able, navigate to the ThinManager® download site and upgrade to a corrected version of ThinManager® .
Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
High
Published Date:
October 10, 2024
Last Updated:
October 10, 2024
CVE IDs:
CVE-2024-6207
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: October 10, 2024
Last updated: October 10, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5, v4.0: 8.7
AFFECTED PRODUCTS AND SOLUTION
| Affected Product |
First Known in firmware revision | Corrected in firmware revision |
| ControlLogix® 5580 | V28.011 | V33.017, V34.014, V35.013, V36.011 and later |
| ControlLogix® 5580 Process | V33.011 | V33.017, V34.014, V35.013, V36.011 and later |
| GuardLogix 5580 | V31.011 | V33.017, V34.014, V35.013, V36.011 and later |
| CompactLogix 5380 | V28.011 | V33.017, V34.014, V35.013, V36.011 and later |
| Compact GuardLogix 5380 SIL 2 | V31.011 | V33.017, V34.014, V35.013, V36.011 and later |
| Compact GuardLogix 5380 SIL 3 | V32.013 | V33.017, V34.014, V35.013, V36.011 and later |
| CompactLogix 5480 | V32.011 | V33.017, V34.014, V35.013, V36.011 and later |
| FactoryTalk® Logix Echo | V33.011 | V34.014, V35.013, V36.011 and later |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerability was reported to Rockwell Automation by Trevor Flynn.
CVE-2024-6207 IMPACT
A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability a malicious user must chain this exploits with CVE 2021-22681 and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation. To recover the controllers, a download is required which ends any process that the controller is running.
CVSS Base Score v3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score v4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software are also encouraged to apply security best practices to minimize the risk of vulnerability.
ADDITIONAL RESOURCES
JSON CVE-2024-6207
High
Published Date:
October 07, 2024
Last Updated:
October 07, 2024
CVE IDs:
CVE-2024-9124
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 10/8/2024
Last Updated: 10/8/2024
Revision Number: 1.0
CVSS Score: 8.2/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product |
Affected Software Version | Corrected in Software Version |
| Drives - PowerFlex 6000T | 8.001, 8.002, 9.001 | 10.001 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-9124 IMPACT
A denial-of-service vulnerability exists in the PowerFlex® 6000T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: Improper Check for Unusual or Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
October 07, 2024
Last Updated:
October 10, 2024
CVE IDs:
CVE-2024-8626
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Revision Number:
2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Logix Controllers Vulnerable to Denial-of-Service Vulnerability
Published Date: October 8, 2024
Last updated: October 10, 2024
Revision Number: 2.0
CVSS Score: 8.7/10
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| CompactLogix 5380 controllers | v33.011< |
|
| Compact GuardLogix® 5380 controllers | v33.011< | |
| CompactLogix 5480 controllers | v33.011< | |
| ControlLogix 5580 controllers | v33.011< | |
| GuardLogix 5580 controllers | v33.011< | |
| 1756-EN4TR | v3.002 |
|
Mitigations and Workarounds
Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
VULNERABILITY DETAILS
CVE-2024-8626 IMPACT
Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 7.5/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score: 8.7/10 (high)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: 400 – Uncontrolled Resource Consumption
ADDITIONAL RESOURCES
Medium
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2024-9412
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 10/8/24
Last updated: 10/8/24
Revision Number: 1.0
CVSS Score: v3.1: 6.8, v4.0: 8.4
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
Affected Versions
|
Corrected in software version
|
Verve® Asset Manager
|
All versions < 1.38
|
V1.38
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-9412 IMPACT
An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.
CVSS Base Score v3.1: 6.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score v4.0: 8.4/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-842: Placement of User into Incorrect Group
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.
ADDITIONAL RESOURCES
Critical
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2019-14855, CVE-2019-17543, CVE-2019-18276, CVE-2019-19244, CVE-2019-989, CVE-2019-9923
CVSS Scores (v3.1):
7.5, 8.1, 7.8, 7.5, 9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7, 9.3, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 10/8/24
Revision Number: 1.0
CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product Affected Product Affected Versions
DataEdgePlatform
DataMosaix™ Private Cloud <=7.07 v7.09
VULNERABILITY DETAILS
Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.
CVE-2019-14855 IMPACT
The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.
CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No
CVE-2019-17543 IMPACT
The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.
CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No
CVE-2019-18276 IMPACT
The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.
CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No
CVE-2019-19244 IMPACT
The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.
CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No
CVE-2019-9893 IMPACT
The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.
CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No
CVE-2019-9923 IMPACT
The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.
CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
- CVE-2019-14855 JSON
- CVE-2019-17543 JSON
- CVE-2019-18276 JSON
- CVE-2019-19244 JSON
- CVE-2019-989 JSON
- CVE-2019-9923 JSON
High
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2024-7952, CVE-2024-7953, CVE-2024-7956
CVSS Scores (v3.1):
7.5, 8.8, 8.1
CVSS Scores (v4.0):
7.5, 8.7, 7.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 10/8/24
Revision Number: 1.0
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product |
Affected Versions |
Corrected in Software Version |
| DataEdgePlatform DataMosaix™ Private Cloud | <=7.07 | v7.09 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-7952 IMPACT
A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE: Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No
CVE-2024-7953 IMPACT
A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project.
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: Missing Authorization
Known Exploited Vulnerability (KEV) database: No
CVE-2024-7956 IMPACT
A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project.
CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 Base Score: 7.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
September 16, 2024
Last Updated:
October 14, 2024
CVE IDs:
CVE-2024-7847
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Published Date: September 19, 2024
Last updated: September 19, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.7/10, v4.0: 8.8/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected software version |
Corrected in software version |
RSLogix 500® |
All |
n/a |
RSLogix™ Micro Developer and Starter |
All |
n/a |
RSLogix™ 5 |
All |
n/a |
Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible.
· Deny the execution feature in FactoryTalk® Administration Console, when not needed, by navigating to “Policies”, selecting ‘”Enable/Disable VBA”, and then checking the “Deny” box to block VBA code execution.
· Save project files in a Trusted® location where only administrators can modify it and verify file integrity.
· Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.
VULNERABILITY DETAILS
Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82.
A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.
CVE-2024-7847 IMPACT
CVSS Base Score 3.1: 7.7/10
CVSS Vector String 3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Base Score 4.0: 8.8/10
CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CWE: CWE-345 (Insufficient verification of data authenticity)
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45825
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Versions |
Corrected in Software Version |
5015-U8IHFT |
V1.011 and V1.012 |
V2.011 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-45825 IMPACT
A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Block communication to CIP class 883 if it is not required
· Block communication to CIP class 67 if it is not required
· Enforce proper network segmentation and routing controls
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
Critical
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45823
CVSS Scores (v3.1):
8.1
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 8.1/10, v4.0: 9.2/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Versions |
Corrected in Software Version |
FactoryTalk® Batch View™ |
2.01.00 |
3.00.00 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-45823 IMPACT
An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.
CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45826
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Versions |
Corrected in Software Version |
ThinManager® |
V13.1.0 - 13.1.2 V13.2.0 - 13.2.1 |
V13.1.3 V13.2.2 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-45826 IMPACT
Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.
CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2023-31102, CVE-2023-40481
CVSS Scores (v3.1):
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Versions |
Corrected in Software Version |
AADvance® Trusted® SIS Workstation |
2.00.01 and earlier |
2.00.02 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-31102 IMPACT
A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.
The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
CVE-2023-40481 IMPACT
A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.
The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Do not archive or restore projects from unknown sources.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
Critical
Published Date:
September 12, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-45824
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Versions |
Corrected in Software Version |
FactoryTalk® View Site Edition |
V12.0, V13.0, V14.0 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-45824 IMPACT
A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.
CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-77: Improper Neutralization of Special Elements used in a Command
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Navigate to the following link and apply patches, directions are on the link page
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
September 11, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-7960 , CVE-2024-7961
CVSS Scores (v3.1):
7.6, 7.2
CVSS Scores (v4.0):
8.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/24
Revision Number: 1.0
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | Affected Software Version | Corrected in Software Version |
| Pavilion8® | <V5.20 | V6.0 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities.
CVE-2024-7960 IMPACT
The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.
CVSS 3.1 Base Score: 7.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CWE: Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No
CVE-2024-7961 IMPACT
A path traversal vulnerability exists in the affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.
CVSS 3.1 Base Score: 7.2
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
September 10, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-8533
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in Software Version
|
Corrected in Software Version
|
2800C OptixPanel™ Compact
|
4.0.0.325
|
4.0.2.116
|
2800S OptixPanel™ Standard
|
4.0.0.350
|
4.0.2.123
|
Embedded Edge Compute Module
|
4.0.0.347
|
4.0.2.106
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-8533 IMPACT
A privilege escalation vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.
CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.7
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-269: Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
Published Date:
September 10, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-6077
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: 9/12/2024
Updated Date: 9/12/2024
Revision Number: 1.0
CVSS: v3.1: 7.4, 4.0: 8.3
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Family
|
First Known in Software/Firmware Version
|
Corrected in Software/Firmware Version
|
CompactLogix 5380
|
v.32 .011
|
v33.017, v34.014, v35.013, v36.011 and later
|
CompactLogix 5380 Process
|
v.33.011
|
v33.017, v34.014, v35.013, v36.011 and later
|
Compact GuardLogix 5380 SIL 2
|
v.32.013
|
v33.017, v34.014, v35.013, v36.011 and later
|
Compact GuardLogix 5380 SIL 3
|
v.32.011
|
v33.017, v34.014, v35.013, v36.011 and later
|
CompactLogix 5480
|
v.32.011
|
v33.017, v34.014, v35.013, v36.011 and later
|
ControlLogix® 5580
|
v.32.011
|
v33.017, v34.014, v35.013, v36.011 and later
|
ControlLogix® 5580 Process
|
v.33.011
|
v33.017, v34.014, v35.013, v36.011 and later
|
GuardLogix 5580
|
v.32.011
|
v33.017, v34.014, v35.013, v36.011 and later
|
1756-EN4
|
v2.001
|
v6.001 and later
|
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6077 IMPACT
A denial-of-service vulnerability exists in the affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover.
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers who are unable to upgrade to the corrected software versions are encouraged to apply the following risk mitigations.
Users who do not wish to use CIP security can disable the feature per device. See "Disable CIP Security" in Chapter 2 of "CIP Security with Rockwell Automation Products" (publication SECURE-AT001)
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
JSON CVE-2024-6077
Critical
Published Date:
August 21, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7986, CVE 2024-7987, CVE 2024 -7988
CVSS Scores (v3.1):
5.5, 7.8, 9.8
CVSS Scores (v4.0):
6.8, 8.5, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 8/22/24
Last updated: 8/22/24
Revision Number: 1.0
CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
ThinManager® ThinServer™ |
11.1.0-11.1.7 |
11.1.8 11.2.9 12.0.7 12.1.8 13.0.5 13.1.3 13.2.2 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.
CVE-2024-7986 IMPACT
A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.
CVSS Base Score v3.1: 5.5/10
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Base Score v4.0: 6.8/10
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE: CWE-269 Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
CVE-2024-7987 IMPACT
A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.
CVSS Base Score v3.1: 7.8/10
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Base Score v4.0: 8.5/10
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-732: Incorrect Permission Assignment for Critical Resource
CVE-2024-7988 IMPACT
A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.
CVSS Base Score v3.1: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Base Score v4.0: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-20: Improper Input Validation
Mitigations and Workarounds
Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.
ADDITIONAL RESOURCES
High
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2018-1285, CVE-2006-0743
CVSS Scores (v3.1):
7.5, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: August 13, 2024
Last updated: August 13, 2024
Revision Number: 1.0
CVSS Score: Please see below
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Version |
Corrected in Software Version |
AADvance® Standalone OPC-DA Server |
v2.01.510 |
v2.02 and later |
VULNERABILITY DETAILS
CVE IMPACT
An arbitrary code execution vulnerability exists in the affected product. The vulnerability occurs due to a vulnerable component, Log4Net v1.2, which has multiple vulnerabilities listed below:
- CVE-2018-1285, CVSS score 7.5 - log4net config file does not disable XML external entities
- CVSS Base Score: 7.5
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE-20: Improper Input Validation
- Known Exploited Vulnerability (KEV) database: None
- CVE-2006-0743, CVSS score 5.3 - format string vulnerability in log4net
- CVSS Base Score: 5.3
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE-134: Use of Externally Controlled Format String
- Known Exploited Vulnerability (KEV) database: None
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
August 13, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024-6078
CVSS Scores (v3.1):
9.1
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: 8/13/2024
Updated Date: 8/13/2024
Revision Number: 1.0
CVSS: v3.1: 9.1, v4.0: 8.6
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | First Known in Software Version | Corrected in Software Version |
| DataMosaix™ Private Cloud | V7.07 < |
v7.09 or later |
Mitigations and Workarounds
Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
VULNERABILITY DETAIL
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6078 IMPACT
An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud.
CVSS Base Score: 9.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Base Score: 8.6
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7507
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: August 13, 2024
Last updated: September 13, 2024
Revision Number: 2.0
September 14, 2024 - Upated Affected Product and Solutions Table
CVSS Score: v3.1 7.5/10, v4.0 8.7/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in Firmware Version
|
Corrected in Firmware Version
|
CompactLogix 5380
|
v28.011
|
v34.014, v35.013, v36.011 and later
|
ControlLogix 5580
|
v28.011
|
v34.014, v35.013, v36.011 and later
|
GuardLogix 5580
|
v31.011
|
v34.014, v35.013, v36.011 and later
|
Compact GuardLogix 5380 SIL2
|
v31.011
|
v34.014, v35.013, v36.011 and later
|
Compact GuardLogix 5380 SIL3
|
V32.013
|
v34.014, v35.013, v36.011 and later
|
CompactLogix 5480
|
V32.011
|
v34.014, v35.013, v36.011 and later
|
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations, if possible:
Restrict communication to CIP object 103 (0x67)
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-7507 IMPACT
A denial-of-service vulnerability exists in the affected products. This vulnerability occurs when a malformed PCCC message is received, causing a fault in the controller.
CVSS 3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: None
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7513
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: 8/13/2024
Last Updated: 8/15/2025
Revision Number: 2
CVSS Score: v3.1: 8.8/10, v4.0: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product |
First Known in Software Version |
Corrected in Software Version |
| FactoryTalk® View SE | 13.0 |
15.00 |
Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.
- By default, all HMI server projects are saved in the HMI projects folder on the HMI server computer located at C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects. To enhance security and prevent unauthorized modifications to these projects, you can tighten the Windows folder's security settings on the HMI server computer by following these steps:
- Remove the INTERACTIVE group from the folder’s security properties.
- Add specific users or user groups and assign their permissions to this folder as needed.
- If you assign read-only permission to those users or user groups, they can only view and will not be able to write to project files. Users with read-only permission can still test run and run the FactoryTalk® View SE client.
In Version 14: Open FactoryTalk® View Studio -> Help -> FactoryTalk® View SE Help -> In the Help file -> Security -> “HMI projects folder”
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-7513 IMPACT
A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No
ADDITIONAL RESOURCES
High
Published Date:
August 13, 2024
Last Updated:
September 13, 2024
CVE IDs:
CVE-2024-40619
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: August 13, 2024
Last updated: September 13, 2024
Revision Number: 2..0
September 13th, 2024 – Updated “Corrected in Firmware Versions”
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Firmware Version |
Corrected in Firmware Version |
ControlLogix® 5580 |
v34.011 |
v34.014, v35.011 and later |
GuardLogix 5580 |
v34.011 |
v34.014, v35.011 and later |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-40619 IMPACT
A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.
CVSS 3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-754: Improper Check for Unusual or Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
August 13, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-40620
CVSS Scores (v3.1):
7.4
CVSS Scores (v4.0):
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: August 13, 2024
Last updated: August 13, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.4/10, v4.0: 5.3/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | First Known in software version | Corrected in software revision |
| Pavilion8® | v5.20 | v6.0 |
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-40620 IMPACT
A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.
CVSS 3.1 Base Score: 7.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CSVV 4.0 Base Score: 5.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
CWE-311: Missing Encryption of Sensitive Data
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
JSON CVE-2024-40620
Medium
Published Date:
August 12, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE 2024 7567
CVSS Scores (v3.1):
5.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port
Published Date: 8/13/24
Last Updated: 8/13/2024
Revision Number: 1.0
CVSS Score: v3.1: 5.3/10, v4.0: 6.9/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Version |
Corrected in Software Version |
PLC - Micro850/870 (2080 -L50E/2080 -L70E) |
v20.011 |
v22.011 |
VULNERABILITY DETAILS
Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-7567 IMPACT
A denial-of-service vulnerability exists via the CIP/Modbus port in the affected products. If exploited, the CIP/Modbus communication may be disrupted for short duration.
CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
Medium
Published Date:
August 12, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-6079
CVSS Scores (v3.1):
6.7
CVSS Scores (v4.0):
5.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date 8/13/2024
Updated Date: 8/13/2024
Revision Number: 1.0
CVSS: v3.1: 6.7 , 4.0: 5.4
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Version |
Corrected in Software Version |
Emulate3D™ |
17.00.00.13348 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6079 IMPACT
A vulnerability exists in the affected product, which could be leveraged to execute a DLL Hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious dll and perform a remote code execution attack.
CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Base Score: 5.4
CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations , if possible:
· Update to the corrected software version, 17.00.00.13348.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
July 31, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-6242
CVSS Scores (v3.1):
8.4
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: August 1, 2024
Last updated: August 29th, 2024
Revision Number: 2.0
August 29, 2024 - Updated Affected Products and Solution Chart for 1756-EN2T, 1756-EN2F, 1756-EN2TR, 1756-EN3TR
CVSS Score: 3.1: 8.4/10, 4.0:/8.5
AFFECTED PRODUCTS AND SOLUTION
Corrected in Firmware Revision |
||
ControlLogix® 5580 (1756-L8z) |
V28 |
V32.016, V33.015, V34.014, V35.011 and later |
GuardLogix® 5580 (1756-L8zS) |
V31 |
V32.016, V33.015, V34.014, |
1756-EN4TR |
V2 |
V5.001 and later |
1756-EN2T , Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series A |
v5.007(unsigned)/v5.027(signed) |
No fix for Series A/B/C. Upgrade to Series D. No fix for Series A/B. Upgrade to Series C. No fix for Series A/B. Upgrade to Series C. No fix for Series A. Upgrade to Series B. |
1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A |
1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020 |
V12.001 and later |
VULNERABILITY DETAILS
CVE-2024-6242 IMPACT
A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.
CVSS Base Score v3.1: 8.4/10
CVSS Vector: CVSS:3.1 /AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H
CVSS Base Score v4.0: 7.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
CWE-420: Unprotected Alternate Channel
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible.
· Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
July 16, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024-6435
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: July 16, 2024
Last updated: July 16, 2024
Revision Number: 1.0
CVSS Score: v3.1: 8.8/10, v4.0: 8.7/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in Software Version(s)
|
Corrected in Software Revision
|
Pavilion8®
|
v5.15.00
v5.20.00
|
v6.0
|
Mitigations and Workarounds
Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.
Limit access to only users who need it.
Periodically review user access and privileges to confirm accuracy.
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-6435 IMPACT
A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.
CVSS 3.1 Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
ADDITIONAL RESOURCES
JSON CVE-2024-6435
High
Published Date:
July 10, 2024
Last Updated:
November 20, 2024
Products:
CVE-2024-6089
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Major nonrecoverable fault in 5015 – AENFTXT
Published Date: 7/16/2024
Updated Date: 7/16/2024
Revision Number: 1.0
CVSS: v3.1: 7.5, 4.0: 8.7
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in firmware revision
|
Corrected in firmware revision
|
5015 - AENFTXT
|
v2.011
|
v2.012
|
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6089 IMPACT
An input validation vulnerability exists in the affected products when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.
CVSS Base Score: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
Update to the corrected firmware revision, v2.012.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
July 10, 2024
Last Updated:
September 27, 2024
CVE IDs:
CVE-2024-6436
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: July 16, 2024
Last updated: October 1, 2024
Revision Number: 2.0
October 1, 2024 - Updated CVE Number.
CVSS Score: v3.1 7.5/10, v4.0 8.7/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Software Versions |
Corrected in software version |
SequenceManager™ |
v2.0 or later |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6436 IMPACT
An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.
CVSS 3.1 Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-428: Unquoted Search Path or Element
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
Medium
Published Date:
July 02, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-6325 , CVE-2024-6236
CVSS Scores (v3.1):
6.5, 5.9
CVSS Scores (v4.0):
6.0, 1.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: July 11, 2024
Last updated: July 11, 2024
Revision Number: 1.0
CVSS Score: v3.1: 6.5/10, 5.9/10 ; v4.0: 6.0/10, 1.8/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
Affected Version |
Corrected Version |
FactoryTalk® System Services (installed via FTPM) |
v6.40 |
V6.40.01 |
FactoryTalk® Policy Manager (FTPM) |
v6.40 |
V6.40.01 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-6325 IMPACT
The v6.40 release of FactoryTalk® Policy Manager allowed the private keys to be insecurely stored with read and execute privileges for the Windows group, ‘Everyone’. These keys are used to generate digital certificates and pre-shared keys. This vulnerability could allow a malicious user with access to the machine to obtain private keys. If obtained, a malicious user could impersonate resources on the secured network. For customers using FactoryTalk® Policy Manager v6.40 who mitigated CVE-2021-22681 and CVE-2022-1161 by implementing CIP security and did not update to the versions of the software that contain the remediation, this vulnerability could allow a threat actor to exploit CVE-2022-1161 and CVE-2022-1161.
CVSS Base Score v3.1: 6.5/10
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVSS Base Score v4.0: 6.0/10
CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
CWE: CWE-269 Improper Privilege Management
CVE-2024-6236 IMPACT
An exposure of sensitive information vulnerability exists in the FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network.
CVSS Base Score v3.1: 5.9/10
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CVSS Base Score v4.0: 1.8/10
CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
CWE-269 Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software are encouraged to implement the following steps to invalidate the existing vulnerable private keys/digital certificates and regenerate new secure ones.
· Clear CIP Security configurations from devices and from FactoryTalk® Policy Manager
· Update FactoryTalk® System Services and FactoryTalk® Policy Manager to v6.40.01
· Redeploy CIP Security Policy
Detailed steps are below (FactoryTalk System Services (FTSS) is updated through the installation of FactoryTalk Policy Manager (FTPM)
1) Remove deployed security policy from all devices using FactoryTalk® Policy Manager (FTPM):
a. Open FTPM.
b. Document all Zone’s security settings and all Conduit’s settings as you must re-create them after updating FTPM.
c. Change all devices port’s Policies > Zone values to the “Unassigned” Zone.
d. Delete all zones and conduits.
e. Deploy (CIP). Ensure that all endpoints were reset successfully.
f. [migrating from v6.40 only] Deploy (OPC UA). Ensure all endpoints were reset successfully.
i. For any OPC UA clients, perform whatever steps are required by those clients to remove the previously applied certificates.
g. Close FTPM
2) Delete the \FTSS_backup folder:
a. c:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup
3) Delete the \keystore folder:
a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore
4) Delete any backup copies of the \keystore folder. They will be named the same as the \keystore folder but with a suffix appended to it, like:
a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ keystore_source_2024_04_25_12_25_38_541566
5) Delete the PSKs.json file:
a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\PSKs.json
6) Delete any backup copies of the PSKs.json file. They will be named the same as the PSKs.json file but with a suffix appended to it, like:
a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ PSKs.json_source_2024_05_17_07_38_25_200356
7) Install FactoryTalk® Policy Manager version 6.40.01.
a. Restart the computer when prompted at the end of the install.
8) Open FTPM. FTPM will attempt to connect to the FactoryTalk® System Services web server before proceeding.
9) If FTPM could not successfully connect to FactoryTalk® System Services (FTSS), it is because the FTSS service hasn’t started yet. It will eventually start or else you can start the FTSS service manually in Windows Services.
10) Re-create the original Zones.
11) Move the devices from the unassigned Zone back to their original zones.
12) Re-create the original Conduits.
13) Deploy (CIP endpoints).
14) [migrating from v6.40 only] Deploy (OPC UA endpoints).
a. For any OPC UA client endpoints, manually apply the newly generated certificates from this deploy.
Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
ADDITIONAL RESOURCES
Critical
Published Date:
June 20, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-5988 , CVE-2024-5989, CVE-2024-5990
CVSS Scores (v3.1):
9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
ThinManager® ThinServer™ Improper Input Validation Vulnerabilities
Published Date: June 25, 2024
Last updated: June 25, 2024
Revision Number: 1.0
CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in software version |
Corrected in software version (Available Here) |
ThinManager® ThinServer™ |
2024-5988 2024-5989
|
11.1.0 11.2.0 12.0.0 12.1.0 13.0.0 13.1.0 13.2.0 |
11.1.8 11.2.9 12.0.7 12.1.8 13.0.5 13.1.3 13.2.2 |
2024-5990 |
11.1.0 11.2.0 12.0.0 12.1.0 13.0.0 13.1.0 |
11.1.8 11.2.9 12.0.7 12.1.8 13.0.4 13.1.2 |
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.
· Update to the corrected software versions via the ThinManager® Downloads Site
· Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.
CVE-2024-5988 IMPACT
Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.
CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: 20 Improper Input Validation
CVE-2024-5989 IMPACT
Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.
CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: 20 Improper Input Validation
CVE-2024-5990 IMPACT
Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device.
CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: 20 Improper Input Validation
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
Critical
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37368
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: June 13, 2024
Last updated: June 13, 2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® View SE
|
v11.0
|
v14.0
|
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-37368 IMPACT
A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.
CVSS 3.1 Base Score: 9.8/10
CSVV 4.0 Base Score: 9.2/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37367
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: June 13, 2024
Last updated: June 13, 2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® View SE
|
v12.0
|
V14.0 and later
|
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-37367 IMPACT
A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification.
CSVV 4.0 Base Score: 8.2/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37369
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: June 13, 2024
Last updated: June 13, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10, v4.0: 8.5/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® View SE
|
V12.0
|
v14
|
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
Use the Secure Install option when installing FactoryTalk® Services Platform.
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-37369 IMPACT
A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.
CVSS 3.1 Base Score: 7.8/10
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 8.5/10
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE 2024-5659
CVSS Scores (v3.1):
7.4
CVSS Scores (v4.0):
8.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Published Date: June 11, 2024
Last updated: June 11, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.4/10, 4.0: 8.3/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in firmware revision
|
Corrected in firmware revision
|
ControlLogix® 5580
|
V34.011
|
V34.014, V35.013, V36.011 and later
|
GuardLogix 5580
|
V34.011
|
V34.014, V35.013, V36.011 and later
|
1756-EN4
|
V4.001
|
V6.001 and later
|
CompactLogix 5380
|
V34.011
|
V34.014, V35.013, V36.011 and later
|
Compact GuardLogix 5380
|
V34.011
|
V34.014, V35.013, V36.011 and later
|
CompactLogix 5480
|
V34.011
|
V34.014, V35.013, V36.011 and later
|
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault(MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port If exploited, the availability of the device would be compromised.
CVE-2024-5659 IMPACT
CVSS Base Score v3.1: 7.4/10
CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS Base Score v4.0: 8.3/10
CVSS Vector String: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CWE: CWE 670 – Always Incorrect Flow Implementation
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply the risk mitigations, where possible.
· Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.
· Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique
ADDITIONAL RESOURCES
Published Date:
May 21, 2024
Last Updated:
August 07, 2025
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats
Due to heightened world tensions and negative cyber activity, Rockwell Automation suggests customers take IMMEDIATE action. Customers should check if they have devices facing the public internet. If so, remove that connectivity for devices not designed for public internet connectivity.
Rockwell Automation has guidance for all devices not specifically designed for public internet connectivity. Users should never configure their devices to be directly connected to the public-facing internet. Removing that connectivity as a proactive step reduces the attack surface. This can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.
Rockwell Automation and CISA (Cybersecurity and Infrastructure Security Agency) provide more information on attacks on public-internet-exposed assets. This includes information on how to identify exposed assets and disconnect them from the public internet.
- Rockwell Automation | Advisory on web search tools that identify ICS devices and systems connected to the Internet [login required]
- CISA | NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
- CISA | How-to Guide: Stuff Off Shodan
- Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity
Rockwell Automation suggests customers follow the security best practices if disconnection is not possible: Rockwell Automation | Security Best Practices [login required].
Customers should be aware of the following related CVE’s and ensure mitigations are in place.
CVE No. |
Alert Code (ICSA) |
Advisory Name and Link, URL |
2021-22681 |
21-056-03 |
CISA | Rockwell Automation Logix Controllers (Update A) https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03 |
2022-1159 |
22-090-07 |
CISA | Rockwell Automation Studio 5000 Logix Designer https://www.cisa.gov/news-events/ics-advisories/icsa-22-090-07 |
2023-3595 |
23-193-01 |
CISA | Rockwell Automation Select Communication Modules https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01 |
2023-46290 |
23-299-06 |
CISA | Rockwell Automation FactoryTalk Services Platform https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-06 |
2024-21914 |
24-086-04 |
CISA | Rockwell Automation FactoryTalk View ME https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04 |
2024-21915 |
24-046-16 |
CISA | Rockwell Automation FactoryTalk Service Platform https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-16 |
2024-21917 |
24-030-06 |
CISA | Rockwell Automation FactoryTalk Service Platform https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-06 |
High
Published Date:
May 07, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-3640
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: May 14, 2024
Last updated: August 6, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.7/10, v4.0: 7.0
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® Remote Access™ (FTRA)
|
v13.5.0.174
|
V13.6
|
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-3640 IMPACT
An unquoted executable path exists in the affected products. This could result in remote code execution if exploited. When running the FTRA installer package, the executable path is not properly quoted. This could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this.
CVSS Base Score v3.1: 6.5/10
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-428: Unquoted Search Path or Element
CVSS Base Score v4.0: 7.0/10
CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Mitigations and Workarounds
Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.
ADDITIONAL RESOURCES
The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.
Glossary
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Unquoted Executable Path: a vulnerability that occurs when a service is created with an executable path containing spaces and isn’t enclosed within quotes
Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product
High
Published Date:
May 07, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2024-4609
CVSS Scores (v3.1):
7.6
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: May 15, 2024
Last updated: August 6, 2025
May 22, 2024 - Updated corrected software versions
Revision Number: 2.0
CVSS Score: v3.1: 7.6/10, v4.0 8.8/10
The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® View SE
|
< 14
|
V11,12,13, 14 or later
|
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
A security issue exists in the FactoryTalk® View SE Datalog function. This could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. The attack could result in information exposure, revealing sensitive information. A threat actor could then modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.
CVE-2024-4609 IMPACT
CVSS v3.1 Base Score: 7.6
CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVSS v4.0 Base Score: 8.8
CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CWE: CWE-20 Improper input invalidation
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to create more environmentally specific categories.
Mitigations and Workarounds
Customers using the affected software that are not able to upgrade to one of the corrected versions should use security best practices.
ADDITIONAL RESOURCE
The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.
-
Glossary
- HMI Design Time: the process of creating and designing Human-Machine Interface screens
- Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
- SQL Statement: Used to communicate with databases. A statement is a command to be understood by the interpreter and executed by the SQL engine.
- Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product
High
Published Date:
May 06, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2023-31274, CVE-2023-34348
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: May 9, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
Affected Versions
|
Corrected in software version
|
FactoryTalk® Historian SE
|
< v9.0
|
v9.01 and later
|
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.
CVE-2023-31274 IMPACT
FactoryTalk® Historian SE utilizes the AVEVA PI Server, which contains a security issue. This could allow an unauthenticated user to cause a partial denial-of-service condition. This happens in the PI Message Subsystem of a PI Server by consuming available memory. This exists in FactoryTalk® Historian SE versions 9.0 and earlier. Use of this issue could cause FactoryTalk® Historian SE to become unavailable. This would requiring a power cycle to recover it.
CVSS Base Score v3.1: 7.5/10
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score v4.0: 7.7/10
CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
CWE: Dependency on Vulnerable third-party Component
CVE-2023-34348 IMPACT
FactoryTalk® Historian SE use the AVEVA PI Server. This contains a security issue that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server. This would result in a denial-of-service condition. This issue exists in FactoryTalk® Historian SE versions 9.0 and earlier. Use of this could cause FactoryTalk® Historian SE to become unavailable. This requires a power cycle to recover it.
CVSS Base Score v3.1: 7.5/10
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score v4.0: 7.7/10
CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H
CWE: Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
Customers using the affected software should install FactoryTalk® Historian SE version 9.01 or higher as soon as feasible. For customers unable to upgrade to v9.0, defensive measures are available in the Rockwell article.
-
Customers should use our suggested security best practices to minimize the risks.
ADDITIONAL RESOURCES
Glossary
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
PI Message Subsystem: A part of the PI System that handles logging and messaging. IT is responsible for managing PI Logs, which are binary files located in the PI/Log folder on a PI Server or PIPC/Log on clients and interfaced nodes
Critical
Published Date:
April 18, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2023-4664
CVSS Scores (v3.1):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: April, 16, 2024
Last updated: April 16, 2024
Revision Number: 1.0
CVSS Score: 9.8 /10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Version |
Corrected in Software Version |
FactoryTalk® Production Centre |
10.0 |
11.03.00 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2023-4664 IMPACT
Apache ActiveMQ, a component utilized in FactoryTalk Production Centre, is vulnerable to Remote Code Execution. The vulnerability may allow a remote threat actor with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath.
CVSS Base Score: 9.8
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 502 Deserialization of Untrusted Data
Known Exploited Vulnerability (KEV) database: Yes
Users can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.
Mitigations and Workarounds
Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.
- · Update to the version that fixes the issue as detailed in this article.
- · Follow the security recommendations in PN1592 for FTPC.
- · Implement Security Best Practices
ADDITIONAL RESOURCES
Critical
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-3493
CVSS Scores (v3.1):
8.6
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: April 11, 2024
Last updated: August 5, 2025
Revision Number: 2.0
May 2, 2024 - Added to products to Affected Products and Solutions section
CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in Firmware Revision
|
Corrected in Firmware Revision
|
ControlLogix® 5580
|
V35.011
|
V35.013, V36.011 and later
|
GuardLogix 5580
|
V35.011
|
V35.013, V36.011 and later
|
CompactLogix 5380
|
V35.011
|
V35.013, V36.011 and later
|
Compact GuardLogix 5380
|
V35.011
|
V35.013, V36.011 and later
|
1756-EN4TR
|
V5.001
|
V6.001 and later
|
ControlLogix 5580 Process
|
V35.011
|
V35.013, V36.011 and later
|
CompactLogix 5380 Process
|
V35.011
|
V35.013, V36.011and later
|
CompactLogix 5480
|
V35.011
|
V35.013, V36.011 and later
|
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.
CVE-2024-3493 IMPACT
A specific malformed fragmented packet type can cause a Major Nonrecoverable Fault (MNRF). The affected product could become unavailable and require a manual restart to recover it. A MNRF could result in a loss of view and/or control of connected devices.
CVSS Base Score: 8.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVSS Base Score: 9.2/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CWE: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.
ADDITIONAL RESOURCES
The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.
-
Glossary
- Fragment Packet: may be generated automatically by devices that send large amounts of data
- Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
- Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly
- Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-2424
Products:
5015-AENFTXT
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: April 11, 2024
Last updated: April 17, 2024
Revision Number: 2.0
4/17/24 - Updated Affected Products and Solutions
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in firmware version
|
Corrected in firmware version
|
5015-AENFTXT
|
v2.011
|
v2.012 and later
|
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-2424 IMPACT
An input validation vulnerability exists among the affected products that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.
CVSS 3.1 Base Score: 7.5/10
CVSS Vector: CVSS: 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 4.0 Base Score: 8.7/10
CVSS Vector: CVSS: 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
High
Published Date:
March 26, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-21912, CVE-2024-21913, CVE-2024-2929, CVE-2024-21918, CVE-2024-21919, CVE-2024-21920
Products:
Arena® Simulation Software
CVSS Scores (v3.1):
7.8, 4.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 7.8
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Arena® Simulation Software |
CVE-2024-21912 |
16.00 |
|
CVE-2024-21913 |
|||
CVE-2024-2929 |
|||
CVE-2024-21918 |
|||
CVE-2024-21919 |
|||
CVE-2024-21920 |
16.00 |
|
SECURITY ISSUE DETAILS
These security issues were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.
CVE-2024-21912 IMPACT
An arbitrary code execution security issue could let a threat actor insert unauthorized code into the software. This is done by writing beyond the designated memory area. This causes an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
CVE-2024-21913 IMPACT
A heap-based memory buffer overflow security issue could allow a threat actor to insert unauthorized code into the software. This is done by overstepping the memory boundaries, which triggers an access violation. A threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
CVE-2024-2929 IMPACT
A memory corruption security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No
CVE-2024-21918 IMPACT
A memory buffer security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory and triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
Known Exploited Vulnerability (KEV) database: No
CVE-2024-21919 IMPACT
An arbitrary code execution vulnerability was located in memory location of this product. This could result in a threat actor leveraging a uninitialized pointer and passing it throughout the application. This could allow a threat actor to insert unauthorized code to the software resulting in undefined behaviors. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer
CVE-2024-21920 IMPACT
A memory buffer security issue could allow a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and cause the application to crash. This would result in a denial-of-service condition. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software should use the risk mitigations and security best practices.
- Do not open untrusted files from unknown sources.
- For information on Security Risks for industrial automation control systems, customers should use our suggested security best practices to minimize the risks.
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
ADDITIONAL RESOURCES
- CVE-2024-21912 JSON
- CVE-2024-21913 JSON
- CVE-2024-2929 JSON
- CVE-2024-21918 JSON
- CVE-2024-21919 JSON
- CVE-2024-21920 JSON
Glossary
Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Memory Buffer: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior
Memory Corruption: occurs when a flaw in software leads to the modification of memory in unintended ways, potentially causing unexpected behavior or providing avenues for exploitation
Uninitialized Pointer: occurs when a program accesses or uses a pointer that has not been initialized. If the pointer contains an uninitialized value, it might not point to a valid memory location, leading to unpredictable behavior and potential security vulnerabilities
High
Published Date:
March 21, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-2425, CVE-2024-2426, CVE-2024-2427
Products:
PowerFlex® 527
CVSS Scores:
7.5, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
PowerFlex® 527 |
v2.001.x < |
n/a |
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.
CVE-2024-2425 IMPACT
A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.
CVSS Base Score 3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score 4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE – 120 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
CVE-2024-2426 IMPACT
A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.
CVSS Base Score 3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score 4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE – 120 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
CVE-2024-2427 IMPACT
A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.
CVSS Base Score 3.1: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Base Score 4.0: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption
Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.
- Implement network segmentation confirming the device is on an isolated network.
- Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
- Security Best Practices
ADDITIONAL RESOURCES
Glossary
CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users
Medium
Published Date:
March 21, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2024-21914
Products:
FactoryTalk® View ME
CVSS Scores (v3.1):
5.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1 5.3/10, v.4.0 6.9/10
The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
FactoryTalk® View ME |
<v14 |
V14 |
SECURITY ISSUE DETAILS
Rockwell Automation used CVSS v3.1 and v4.0 scoring system to assess the following security issues.
CVE-2024-21914 IMPACT
A security issue exists in the affected product. This allows a threat actor to restart the PanelView™ Plus 7 terminal remotely without security protections. This could lead to the loss of view or control of the PanelView™ product.
CVSS 3.1 Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 4.0 Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE: Improper security protection for remote restart action
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Mitigations and Workarounds
Customers using the affected software that are unable to upgrade to the corrected versions should use security best practices.
ADDITIONAL RESOURCES
Glossary
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Critical
Published Date:
February 14, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-21915
Products:
FactoryTalk® Service Platform
CVSS Scores (v3.1):
9.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: February 15, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 9.0/10
The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
FactoryTalk® Service Platform |
<v2.74 |
Update to V2.74 or later |
SECURITY ISSUE DETAILS
Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following security issues.
CVE-2024-21915 IMPACT
A privilege escalation security issue exists in FactoryTalk® Service Platform (FTSP). A threat actor with basic user group privileges could sign into the software and receive FTSP Administrator Group privileges. A threat actor could then read and modify sensitive data, delete data and render the FTSP system unavailable.
CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Customers using the affected software that cannot upgrade to the corrected versions should use mitigations and security best practices
ADDITIONAL RESOURCES
- Patch: Incorrect user groups returned from FactoryTalk® Web Service, FactoryTalk® Services Platform 2.74
- JSON CVE-2024-21915
Glossary
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Privilege escalation: cyberattack technique where an attacker gains unauthorized access to higher-level privileges within a system, allowing them to perform actions that are typically restricted.
High
Published Date:
January 30, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024 21916
Products:
ControlLogix® 5570, GuardLogix® 5570, ControlLogix® 5570 Redundancy
CVSS Scores (v3.1):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers
Published Date: January 30, 2024
Last updated: 1.0
Revision Number: 1.0
CVSS Score: 8.6
AFFECTED PRODUCTS AND SOLUTION
Corrected in Firmware |
||
ControlLogix® 5570 |
20.011 |
v33.016, 34.013, 35.012, 36.011 and later |
GuardLogix® 5570 |
20.011 |
v33.016, 34.013, 35.012, 36.011 and later |
ControlLogix® 5570 Redundancy |
20.054_kit1 |
v33.053_kit1, 34.052_kit1, 35.052_kit1, 36.051_kit1 and later |
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024 21916 IMPACT
A denial-of-service vulnerability exists in the affected products, listed above. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF .
CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
Critical
Published Date:
January 30, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024 21917
Products:
FactoryTalk® Service Platform
CVSS Scores (v3.1):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: January 30, 2024
Revision History
Version 1.0 - March 5th, 2024 *Updated Mitigations and Workarounds
Version 1.1 - July 18, 2025 - Updated for readability
Revision Number: 1.1
CVSS Score: 9.8/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
FactoryTalk® Service Platform |
<= v6.31 |
v6.40 or later |
SECURITY ISSUE DETAILS
Rockwell Automation used CVSS v3.1 scoring system to assess the following security issues.
CVE - 2024 21917 IMPACT
A security issue exists in the affected product. This allows a malicious user to obtain the service token and use it for authentication on another FactoryTalk® Service Platform (FTSP) directory. This is due to the lack of digital signing between the FTSP service token and directory. A threat actor could potentially retrieve user information and modify settings without any authentication.
CVSS Base Score: 9.8/10 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 347 Improper Verification of Cryptographic Signature
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software should use risk mitigations and our suggested security best practices to minimize the risks.
Customers updating to v6.40 or later should do one of the following steps:
- Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.
- If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier, System Communication Type setting should not be altered from AUTO or DCOM.
Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Set both security policies Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.
Customers who are unable to update to v6.40 or later should apply the following:
- Set DCOM authentication level to 6. This enables encryption of the service token and communication channel between the server and client. Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
- When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk® Services APIs. This helps prevent a threat actor from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk® Administration Console application.
- Security Best Practices
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
ADDITIONAL RESOURCES
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
January 24, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381 , CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385 , CVE-2022-47392 , CVE-2022-47393
Products:
LP30 Operator Panel, LP40 Operator Panel, BM40 Operator Panel, LP50 Operator Panel
CVSS Scores (v3.1):
6.5, 8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: January 25, 2024
Last updated: January 25, 2024
Revision Number: 1.0
CVSS Score: 8.8
AFFECTED PRODUCTS AND SOLUTION
Affected Product (automated) |
First Known in Software Revision |
Corrected in Software Revision |
LP30 Operator Panel |
Codesys versions before V3.5.19.0 |
|
LP40 Operator Panel |
Codesys versions before V3.5.19.0 |
|
BM40 Operator Panel |
Codesys versions before V3.5.19.0 |
|
LP50 Operator Panel |
Codesys versions before V3.5.19.0 |
VULNERABILITY DETAILS
The CODESYS Control runtime system is utilized in the affected ASEM™ (A Rockwell Automation Company) products and enables embedded or PC-based devices to be programmable industrial controllers. Such products contain communication servers for the CODESYS protocol to enable communication with clients like the CODESYS Development System.
These products have the following vulnerabilities:
CVE-2022-47378 IMPACT
CVSS Base Score: 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-1288: Improper Validation of Consistency within Input
After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.
CVE-2022-47379 IMPACT
CVSS Base Score: 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write
After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
CVE-2022-47380, CVE-2022-47381 IMPACT
CVSS Base Score: 8.8/10 (High)
CWE-121: Stack-based Buffer Overflow
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390 IMPACT
CVSS Base Score: 8.8/10 (High)
CWE-121: Stack-based Buffer Overflow
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr
component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
CVE-2022-47385 IMPACT
CVSS Base Score: 8.8/10 (High)
CWE-121: Stack-based Buffer Overflow
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
After successful authentication, specifically crafted communication requests can cause the CmpAppForce
component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.
CVE-2022-47392 IMPACT
CVSS Base Score: 6.5/10 (Medium)
CWE-1288: Improper Validation of Consistency within Input
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.
CVE-2022-47393 IMPACT
CVSS Base Score: 6.5/10 (Medium)
CWE-822: Untrusted Pointer Dereference
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
- Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
- Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
High
SD1658 | SD1658 | SIS Workstation and ISaGRAF Workbench Code Execution and Privilege Escalation TEST
Published Date:
November 15, 2023
Last Updated:
November 15, 2023
CVE IDs:
CVE-2015-9268
Products:
Safety Instrumented System Workstation, ISaGRAF® Workbench
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: November 14, 2023
Last updated: November 14, 2023
Revision Number: 1.0
CVSS Score: 7.8/10
The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Version |
Corrected in Software Version |
Safety Instrumented System Workstation |
<= v1.2 |
|
ISaGRAF® Workbench |
<= v6.6.9 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2015-9268 IMPACT
Due to the third-party vulnerabilities in Nullsoft Scriptable Install System (NSIS), the SIS Workstation and ISaGRAF® Workbench installer and uninstaller have unsafe implicit linking against Version.dll. Therefore, there is no protection mechanism in the wrapper function that resolves the dependency at an appropriate time during runtime. Also, the SIS workstation and ISaGRAF® Workbench uninstaller uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which the uninstaller can be replaced by a malicious program.
CVSS Base Score: 7.8/10
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: Improper Input Validation
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
ADDITIONAL RESOURCES
Critical
Published Date:
November 15, 2023
Last Updated:
November 19, 2024
CVE IDs:
CVE-2023-38545, CVE-2023-3935
Products:
FactoryTalk Activation Manager
CVSS Scores (v3.1):
7.9, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Published Date: November 14, 2023
Last updated: November 14, 2023
Revision Number: 1.0
CVSS Score: 7.8
AFFECTED PRODUCTS AND SOLUTION
Affected Product (automated) |
First Known in Software Version |
Corrected in Software Version |
FactoryTalk Activation Manager |
V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c) |
5.01 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-38545 IMPACT
Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.
CVSS Base Score: 7.9
CVSS Vector: CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
CVE-2023-3935 IMPACT
Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
- Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues (Available versions here, search "activation")
- For information on how to mitigate Security Risks on industrial automation control systems Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.
ADDITIONAL RESOURCES
High
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-46289
Products:
FactoryTalk® View Site Edition
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 26, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® View Site Edition | V11.0 | v11.0 & v12.0 & v13.0 patch |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-46289 IMPACT
The affected product insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.
CVSS Base Score: 7.5/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Install the patch that remediates the issue: BF29581 - Patch: External Service Interaction (HTTP), FactoryTalk View SE 11.0, 12.0 13.0.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
High
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-46290
Products:
FactoryTalk® Services Platform
CVSS Scores (v3.1):
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 26, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Services Platform | v2.74 | V2.80 and later |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.
CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Install the respective FactoryTalk Services Version that remediates the issue.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
High
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-27854, CVE-2023-27858
Products:
Arena® Simulation Software
CVSS Scores (v3.1):
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 27, 2023
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version |
| Arena® Simulation Software | V16.00 | 16.20.02 |
Vulnerability Details
These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
- Upgrade to 16.20.02 which has been patched to mitigate these issues, by referencing BF29820 - Patch: ZDI Security Patch & Windows 11 updates , Arena 16.2.
- Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.
Additional Resources
Critical
Published Date:
October 18, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-20198
Products:
Stratix® 5200, Stratix® 5800
CVSS Scores (v3.1):
7.2, 10
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
No
More Details
Less Details
Published Date: 10/17/2023
Last updated: 02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10
Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed. While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer. This advisory will be updated, as remediation steps become available.
REVISION 1.1 UPDATE
Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices. Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently. This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI. Rockwell Automation strongly encourages customers to follow the mitigation guidelines.
REVISION 2.0 UPDATE
Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First known in firmware revision |
Corrected in Firmware Revision |
Stratix® 5200, 5800 |
All versions running Cisco IOS XE Software with the Web UI feature enabled |
17.12.02 |
VULNERABILITY DETAILS
CVE-2023-20198 IMPACT
Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Known Exploited Vulnerability (KEV) database: Yes
CVE-2023-20273 IMPACT
Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Known Exploited Vulnerability (KEV) database: Yes
Mitigations and Workarounds
Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.
- To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
- Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.
REVISION 1.1 UPDATE
- Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device. Detailed instructions on how to create the Access Control List is in QA67053.
- When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.
ADDITIONAL RESOURCES
High
Published Date:
October 17, 2023
Last Updated:
October 17, 2023
CVE IDs:
CVE-2023-29464
Products:
FactoryTalk® Linx
CVSS Scores:
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 12, 2023
Affected Products
| Affected Product | First Known in Revision | Corrected in Revision |
| FactoryTalk® Linx | v6.20 | v6.20 & v6.30 patch |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community for reporting this vulnerability to us.
CVE-2023-29464 IMPACT
FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.
CVSS Base Score: 8.2/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: 20 – Improper Input Validation
Risk Mitigation & User Action
Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
- Install the security patches for the respective versions, referencing BF29637 - Patch: Hardening of the FactoryTalk Linx communications service for MobileView to authenticate and block improperly sized files, FactoryTalk Linx 6.20, 6.30.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Critical
Published Date:
October 09, 2023
Last Updated:
October 09, 2023
CVE IDs:
CVE-2023-2262
Products:
ControlLogix Communication - Ethernet/IP
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 19, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments. This vulnerability is not related to PN1633 - Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules .
Affected Products
| Affected Catalog | Series | Affected Firmware Version | Corrected in Firmware Version |
| 1756-EN2T 1756-EN2TK 1756-EN2TXT |
A, B, C | <=5.008 and 5.028 | Update to 5.009 and 5.029 or later |
| D | <=11.002 | Update to >=11.003 or later | |
| 1756-EN2TP 1756-EN2TPK 1756-EN2TPXT |
A | <=11.002 | Update to >=11.003 or later |
| 1756-EN2TR 1756-EN2TRK 1756-EN2TRXT |
A, B | <=5.008 and 5.028 | Update to 5.009 and 5.029 or later |
| C | <=11.002 | Update to >=11.003 or later | |
| 1756-EN2F 1756-EN2FK |
A, B | <=5.008 and 5.028 | Update to 5.009 and 5.029 or later |
| C | <=11.002 | Update to >=11.003 or later | |
| 1756-EN3TR 1756-EN3TRK |
A | <=5.008 and 5.028 | Update to 5.009 and 5.029 or later |
| B | <=11.002 | Update to >=11.003 or later |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-2262 IMPACT
A buffer overflow vulnerability exists in select communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.
CVSS Base Score: 9.8/10
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Restrict traffic to the SMTP port (25), if not needed.
- Customers using the EN2/EN3 versions 10.x and higher can disable the email object, if not needed. Instructions can be found in the EtherNet/IP Network Devices User Manual (rockwellautomation.com), publication ENET-UM006.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Critical
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2020-16017, CVE-2022-0609, CVE-2020-16009, CVE-2020-16013, CVE-2020-15999
Products:
Connected Components Workbench (CCW)
CVSS Scores:
9.6, 8.8, 8.8, 8.8, 6.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 19, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
Affected Products
| Affected Product | Affected Versions | Corrected in Software Version |
| Connected Components Workbench™ (CCW) | Versions Prior to R21 | R21 and later |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.
CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free
Known Exploited Vulnerability (KEV) database: Yes
CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.
CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free
Known Exploited Vulnerability (KEV) database: Yes
CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.
CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)
Known Exploited Vulnerability (KEV) database: Yes
CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.
CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: Yes
CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.
CVSS Base Score: 6.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: Yes
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Upgrade to version 21 or later.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Critical
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2017-12652
Products:
PanelView 800, PanelView Component Refresh (PanelView 800)
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - September 19, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
Affected Products
| Affected Product | First Known in firmware revision | Corrected in firmware revision |
|---|---|---|
| 2711R-T10T | v3.011 | v6.011 |
| 2711R-T7T | ||
| 2711R-T4T |
Vulnerability Details
An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Update to v6.011 or later that mitigates the issue.
- Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.
Additional Resources
Medium
Published Date:
October 05, 2023
Last Updated:
September 26, 2025
CVE IDs:
CVE 2023-29444, CVE 2023-29445, CVE 2023-29446, CVE 2023-29447
Products:
KEPServe Enterprise
CVSS Scores:
6.3, 6.3, 4.7, 5.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Version 1.0 – September 12, 2023
Version 1.1 - September 26, 2025 - Corrected versions and CVE update
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| KEPServer Enterprise | v11.00 | Update to version 14 |
Vulnerability Details
Rockwell Automation was notified by CISA of vulnerabilities discovered in Kepware® KEPServerEX (also known as PTC ThingWorx Industrial Connectivity), which affects Rockwell Automation’s KEPServer Enterprise product. Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.
CVE 2023-29444 KEPServer Enterprise Uncontrolled Search Path Element
The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a harmful DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges. No known public uses specifically target this security issue. Creating a working exploit for this security issue would be difficult due to the code needing to be in a specific directory in the file system.
CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element
CVE 2023-29445 KEPServer Enterprise Uncontrolled Search Path Element
KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory. There are no known public uses specifically target this security issue. Creating a working exploit for this security issue would be difficult.
CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element
CVE 2023-29446 KEPServer Enterprise Improper Input Validation
KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline. No known public uses specifically target this security issue. There are no known public uses specifically target this security issue.
CVSS Base Score: 4.7 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-20: Improper Input Validation
CVE 2023-29447 KEPServer Enterprise Insufficiently Protected Credentials
The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials. There are no known public uses specifically target this security issue.
CVSS Base Score: 5.7 /10 (Medium)
CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected versions are encouraged to apply the risk mitigations below and implement our suggested security best practices to minimize risk of this vulnerability in their environments.
- Users should follow the directions in PTC’s secure configuration documentation.
- Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.
Additional Resources
Critical
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2023-2071
Products:
FactoryTalk View Machine Edition
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 12, 2023
Affected Products
| Affected Product | First Known in Revision | Corrected in Revision |
| FactoryTalk View Machine Edition | v12.0 | v12.0 & v13.0 patch |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community for reporting this vulnerability to us.
CVE-2023-2071 IMPACT
FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.
CVSS Base Score: 9.8/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation
Risk Mitigation & User Action
Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
- Install the security patches for the respective versions referencing BF29493 - Patch: FactoryTalk Linx CIP Vulnerability issue, FactoryTalk View ME 12.0, 13.0.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
High
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2023-29463
Products:
ControlLogix Communications - Ethernet/IP
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 12, 2023
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| Pavilion8® | v5.17 | v5.20 |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2023-29463 IMPACT
The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.
CVSS Base Score: 8.8/10
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: 287- Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.
- Open the web.xml file in your Pavilion8® installation folder set during installation and go to Console\container\webapps\ROOT\WEB-INF, by default this would be under C:\Pavilion\Console\container\webapps\ROOT\WEB-INF.
- Search for the text jmx-console-action-handler and delete the below lines from web.xml file:
<servlet>
<servlet-name>jmx-console-action-handler</servlet-name>
<servlet-class>com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>jmx-console-action-handler</servlet-name>
<url-pattern>/jmx-console/HtmlAdaptor</url-pattern>
</servlet-mapping>
- Save the changes and close the file.
- Restart Pavilion8® Console Service.
- Logout and log back into the console and navigate to the URL http:// <FQDN>/jmx-console to confirm you are getting the error message HTTP Status 404 – Not Found.
Note: <FQDN> is your fully qualified domain name used for the Console login.
Additional Resources
High
Published Date:
August 23, 2023
Last Updated:
August 23, 2023
CVE IDs:
CVE-2022-1737
Products:
1732E-OB16M12DR Series B, 1732E-IB16M12R Series B, 1734-AENTR , 1732E-OB16M12R Series B, 1732E-IB16M12DR Series B, 1732E-8X8M12DR Series B, 1738-AENTR Series A , 1732E-12X4M12P5QCDR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1734-AENT, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-16CFGM12R Series B, 1799ER-IQ10XOQ10 Series B, 1732E-16CFGM12P5QCWR Series B, 1732E-16CFGM12QCWR Series A
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 23, 2023
Affected Products
| Affected Product | First Known in Firmware Version | Corrected in Firmware Version |
| 1734-AENT/1734-AENTR Series C | <=7.011 | 7.013 |
| 1734-AENT/1734-AENTR Series B | <=5.019 | 5.021 |
| 1738-AENT/ 1738-AENTR Series B | <=6.011 | 6.013 |
| 1794-AENTR Series A | <=2.011 | 2.012 |
| 1732E-16CFGM12QCWR Series A | <=3.011 | 3.012 |
| 1732E-12X4M12QCDR Series A | <=3.011 | 3.012 |
| 1732E-16CFGM12QCR Series A | <=3.011 | 3.012 |
| 1732E-16CFGM12P5QCR Series A | <=3.011 | 3.012 |
| 1732E-12X4M12P5QCDR Series A | <=3.011 | 3.012 |
| 1732E-16CFGM12P5QCWR Series B | <=3.011 | 3.012 |
| 1732E-IB16M12R Series B | <=3.011 | 3.012 |
| 1732E-OB16M12R Series B | <=3.011 | 3.012 |
| 1732E-16CFGM12R Series B | <=3.011 | 3.012 |
| 1732E-IB16M12DR Series B | <=3.011 | 3.012 |
| 1732E-OB16M12DR Series B | <=3.011 | 3.012 |
| 1732E-8X8M12DR Series B | <=3.011 | 3.012 |
| 1799ER-IQ10XOQ10 Series B | <=3.011 | 3.012 |
Vulnerability Details
This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency. The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.
CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.
CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-787 Out-of-Bounds WriteKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Customers should upgrade to the corrected firmware to mitigate the issues.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Critical
Published Date:
August 17, 2023
Last Updated:
August 17, 2023
CVE IDs:
CVE-2023-2917, CVE-2023-2914, CVE-2023-2915
Products:
ThinManager ThinServer Input Validation Vulnerabilities
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 17, 2023
Affected Products
| Affected Product | Vulnerability | First Known in Software Versions | Corrected in Software Versions |
| ThinManager® ThinServer™ |
|
|
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.
CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.
CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.
CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.
CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input ValidationCVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.
CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input ValidationCVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.
CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 Improper Input ValidationCustomers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Update to the corrected software versions.
- Limit remote access for TCP Port 2031 to known thin clients and ThinManager servers.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
High
Published Date:
August 08, 2023
Last Updated:
August 08, 2023
CVE IDs:
CVE-2023-2423
Products:
Armor PowerFlex Critical Fault
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 8, 2023
Affected Products
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| Armor™ PowerFlex® | 1.003 | 2.001 or later |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.
CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.
CVSS Base Score: 8.6
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE- 682 Incorrect CalculationKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.
Risk Mitigation & User Action
Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.
- Update to the latest version of Armor™ PowerFlex® (2.001 or later).
- Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.
Additional Resources
High
Published Date:
July 18, 2023
Last Updated:
July 18, 2023
CVE IDs:
CVE-2023-2263
Products:
2198 Kinetix 5700 Drive
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023
Affected Products
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| Kinetix® 5700 DC Bus Power Supply – Series A | V13.001 | V13.003 |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2023-2263 IMPACT
The Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing. The new ENIP connections cannot be established if impacted by this vulnerability, which prohibits operational capabilities of the device resulting in a denial-of-service attack.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
CVE-2023-2263 IMPACT
The Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing. The new ENIP connections cannot be established if impacted by this vulnerability, which prohibits operational capabilities of the device resulting in a denial-of-service attack.
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource ConsumptionKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations below, if possible.
- Upgrade to V13.003 or later which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Additionally, we encourage the customer to implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.
Additional Resources
High
Published Date:
July 18, 2023
Last Updated:
July 18, 2023
CVE IDs:
CVE-2023-2913
Products:
ThinManager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023
Affected Products
| Affected Product | First Known in software version | Corrected in software version |
| ThinManager® ThinServer™ |
|
|
Vulnerability Details
A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-23 Relative Path TraversalKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.
- Update to the corrected software versions.
- Disable the API feature and use a service account with appropriate access for the application.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
High
Published Date:
July 12, 2023
Last Updated:
July 12, 2023
CVE IDs:
CVE-2023-3596, CVE-2023-3595
Products:
Comms Modules
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 12, 2023
Executive Summary
Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.
Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.
Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.
Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.
Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.
Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.
Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.
Affected Products
| Catalog | Series | Versions |
| 1756-EN2T 1756-EN2TK 1756-EN2TXT | A,B,C | <=5.008 & 5.028 |
| D | <=11.003 | |
| 1756-EN2TP 1756-EN2TPK 1756-EN2TPXT | A | <=11.003 |
| 1756-EN2TR 1756-EN2TRK 1756-EN2TRXT | A, B | <=5.008 & 5.028 |
| C | <=11.003 | |
| 1756-EN2F 1756-EN2FK | A, B | <=5.008 & 5.028 |
| C | <=11.003 | |
| 1756-EN3TR 1756-EN3TRK | A | <=5.008 & 5.028 |
| B | <=11.003 | |
| 1756-EN4TR 1756-EN4TRK 1756-EN4TRXT | A | <=5.001 |
Vulnerability Details
CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.
CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.
CVSS score: 9.8/10 (Critical)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds WriteCVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.
CVSS Score: 7.5/10 (High)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-787: Out-of-bounds Write Risk Mitigation & User Action
These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.
Snort 2 Rules and Snort 3 Rules are both attached below.
| Catalog | Series | Affected Versions | Remediations |
| 1756-EN2T 1756-EN2TK 1756-EN2TXT | A,B,C | <=5.008 & 5.028 |
|
| D | <=11.003 | Update to 11.004 or later | |
| 1756-EN2TP 1756-EN2TPK 1756-EN2TPXT | A | <=11.003 | Update to 11.004 or later |
| 1756-EN2TR 1756-EN2TRK 1756-EN2TRXT | A, B | <=5.008 & 5.028 |
|
| C | <=11.003 | Update to 11.004 or later | |
| 1756-EN2F 1756-EN2FK | A, B | <=5.008 & 5.028 |
|
| C | <=11.003 | Update to 11.004 or later | |
| 1756-EN3TR 1756-EN3TRK | A | <=5.008 & 5.028 |
|
| B | <=11.003 | Update to 11.004 or later | |
| 1756-EN4TR 1756-EN4TRK 1756-EN4TRXT | A | <=5.001 | Update to 5.002 or later |
Mitigations
Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.- Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
- Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
- Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.
- Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
- disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
- block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
- monitor CIP traffic for unexpected content or unusual packets lengths.
Potential Indicators of Compromise
System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:- Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
- Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
- Arbitrary writes to communication module memory or firmware.
- Unexpected firmware updates.
- Unexpected disabling of secure boot options.
- Uncommon firmware file names.
Detection Rules
The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.Snort 2 Rules and Snort 3 Rules are both attached below.
References
Attachments
Attachments
Critical
Published Date:
July 11, 2023
Last Updated:
September 09, 2025
CVE IDs:
CVE-2023-2746
Products:
PowerFlex 7000, PowerFlex 6000
CVSS Scores:
9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - July 11, 2023
Version 1.1 - September 9, 2025
Affected Products
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| Enhanced HIM | v1.001 | v1.002 |
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess thesecurity issues. The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improvement of all business environments.
CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings. As a result, it is vulnerable to a Cross Site Request Forgery (CSRF) attack. To use this, a threat actor would have to convince a user to click on an untrusted link. This is done through a social engineering attack or by performing a Cross Site Scripting Attack (XSS). Using a CSRF could lead to sensitive information disclosure and full remote access to the affected products.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings. As a result, it is vulnerable to a Cross Site Request Forgery (CSRF) attack. To use this, a threat actor would have to convince a user to click on an untrusted link. This is done through a social engineering attack or by performing a Cross Site Scripting Attack (XSS). Using a CSRF could lead to sensitive information disclosure and full remote access to the affected products.
CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)Known Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software should use risk mitigation and our suggested security best practices to minimize the potential risks.
- Upgrade to version 1.002 which mitigates this issue.
- Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Cross-Origin Resource Sharing: (CORS) an HTTP-header-based mechanism that allows a server to specify which origins (domains, schemes, or ports) are permitted to access its resources
Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
July 11, 2023
Last Updated:
September 09, 2025
CVE IDs:
CVE-2023-2072
Products:
1408 PowerMonitor 1000
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 – July 11, 2023
Version 1.1 - September 9, 2025
Affected Products
| Affected Product (automated) | First Known in Software Revision | Corrected in Software Revision |
| PowerMonitor™ 1000 | V4.011 | V4.019 |
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues. The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improving business environments.
CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting security issues within the web page of the product. The pages do not require privileges to access and can be injected with code by an attacker. This could be used to leverage an attack on an authenticated user. The result being remote code execution and the complete loss of confidentiality, integrity, and availability of the product.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting security issues within the web page of the product. The pages do not require privileges to access and can be injected with code by an attacker. This could be used to leverage an attack on an authenticated user. The result being remote code execution and the complete loss of confidentiality, integrity, and availability of the product.
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds WriteKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigation and our suggested security best practices below to minimize the potential risks.
- Upgrade to V4.019 which has been patched to mitigate these issues.
- Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.
Additional Resources
Glossary
Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
June 13, 2023
Last Updated:
September 09, 2025
CVE IDs:
CVE-2023-2639, CVE-2023-2637, CVE-2023-2638
Products:
FactoryTalk Policy Manager, FactoryTalk System Services, FactoryTalk Services Platform
CVSS Scores:
4.1, 5.9, 7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - June 13, 2023
Version 1.1 - September 9, 2015 - Updated for better readability
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Services Platform * Only if the following were installed:
|
6.11.00 | 6.30.00 |
Security Issue Details
Rockwell Automation received a report from Claroty regarding three security issues in FactoryTalk® System Services. If used, these security issues could result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.
CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.
Known Exploited Vulnerability (KEV) database:
CVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.
CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.
CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic KeyKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper AuthenticationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-2639 IMPACT
An origin validation error may lead to information disclosure. There is an underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network. This does not verify that the origin of the communication is from a legitimate local client device. It could allow a threat actor to create a harmful website that will send a harmful script. The script can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If used, a threat actor could receive information including whether FactoryTalk® Policy Manager is installed. It could also allow the treat actor to view the entire security policy. User interaction is required for this to be used.
CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation ErrorKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigations and security best practices below.
CVE-2023-2638 JSON
CVE-2023-2639 JSON
- Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.
Additional Resources
CVE-2023-2637 JSONCVE-2023-2638 JSON
CVE-2023-2639 JSON
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits
High
Published Date:
June 13, 2023
Last Updated:
September 09, 2025
CVE IDs:
CVE-2021-35940, CVE-2017-12613
Products:
FactoryTalk Edge Gateway
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - June 13, 2023
Version 1.1 - September 9, 2025 - Updated for readability
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Edge Gateway | v1.03.00 | v1.04.00 |
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues. The security of our products is important to us as your industrial automation supplier. This irregularity was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving production environments.
CVE-2021-35940 IMPACT
An out of bounds array read security issue was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch causing version 1.7.0 to regress compared to 1.6.3. Therefore it is vulnerable to the same issue. If exploited, a threat actor could potentially read confidential data or cause the software to become unavailable.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2021-35940 IMPACT
An out of bounds array read security issue was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch causing version 1.7.0 to regress compared to 1.6.3. Therefore it is vulnerable to the same issue. If exploited, a threat actor could potentially read confidential data or cause the software to become unavailable.
CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE 125 Out-of-bounds ReadKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigation below and our security best practices to minimize the risks .
- Update to v1.04.00 which mitigates the issue.
- Security Best Practicies: QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
High
Published Date:
June 13, 2023
Last Updated:
September 26, 2025
CVE IDs:
CVE-2023-2778
Products:
FactoryTalk Transaction Manager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - June 13, 2023
Version 1.1 - Septeber 26, 2025
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Transaction Manager | <=v13.10 | BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10 |
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess for security issues. The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to full transparency and the improvement of all business environments.
CVE-2023-2778 IMPACT
A denial-of-service (DoS) security issue exists in the affected products. This security issue can be used by sending a modified packet to port 400. If used, the application could crash or experience a high CPU or memory usage condition. This would cause intermittent application functionality issues. The application would need to be restarted to recover from the DoS.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2023-2778 IMPACT
A denial-of-service (DoS) security issue exists in the affected products. This security issue can be used by sending a modified packet to port 400. If used, the application could crash or experience a high CPU or memory usage condition. This would cause intermittent application functionality issues. The application would need to be restarted to recover from the DoS.
CVSS Base Score 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400 Uncontrolled Resource ConsumptionKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigations . and our suggested security best practices below to minimize the risks.
- Customers should follow the instructions in BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10 to install the patch to mitigate the issue.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Glossary
Central Processing Unit: (CPU) the brain of your computer, processing instructions from programs and components
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
High
Published Date:
May 12, 2023
Last Updated:
September 09, 2025
CVE IDs:
CVE-2023-2443
Products:
ThinManager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.2
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - May 12, 2023 – Updated First Known in Software Version
Version 1.1 - May 12, 2023 – Updated First Known in Software Version
Version 1.2 - September 9, 2025 - Updated for readability
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| ThinManager ® | v13.0.0 and v13.0.1 | v13.0.2 |
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.
CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers. If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers. If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).
CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption StrengthKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigations and our suggested security best practices found below to minimize risks.
- Upgrade to v13.0.2.
- Do not use 3DES encryption algorithm.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
- CVE-2023-2443 JSON
- QA60051 - ThinManager : Download Patches and Updates
- QA66518 - ThinManager: How to Ensure 3DES Encryption Algorithm is Not Used
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits
High
Published Date:
May 11, 2023
Last Updated:
September 08, 2025
CVE IDs:
CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025
Products:
ArmorStart
CVSS Scores:
4.7, 7.0, 5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 8, 2025 - Updated for better readability
Affected Products
| Affected Product (automated) | First Known in Firmware Revision | Corrected in Firmware Revision |
| ArmorStart® ST 281E | v2.004.06 | N/A |
| ArmorStart® ST 284E | all | N/A |
| ArmorStart® ST 280E | all | N/A |
Security Issue Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.
CVE-2023-29031 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.
Known Exploited Vulnerability (KEV) database:
CVE-2023-29030 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.
Known Exploited Vulnerability (KEV) database:
CVE-2023-29023 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.
Known Exploited Vulnerability (KEV) database:
CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this.
Known Exploited Vulnerability (KEV) database:
CVE-2023-29025 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVE-2023-29026 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface.This could also cause interruptions to the availability of the web page.
CVE-2023-29027 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVE-2023-29029 IMPACT
A cross site scripting security issue was discovered. Thist could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVE-2023 29022 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2023-29031 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input ValidationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29030 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.
CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input ValidationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29023 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.
CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input ValidationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this.
CVSS Base Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29025 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationCVE-2023-29026 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface.This could also cause interruptions to the availability of the web page.
CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationCVE-2023-29027 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationCVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationCVE-2023-29029 IMPACT
A cross site scripting security issue was discovered. Thist could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationCVE-2023 29022 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.
CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input ValidationCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the below risk mitigation.
- Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.
Additional Resources
- CVE-2023-29022 JSON
- CVE-2023-29023 JSON
- CVE-2023-29024 JSON
- CVE-2023-29025 JSON
- CVE-2023-29026 JSON
- CVE-2023-29027 JSON
- CVE-2023-29028 JSON
- CVE-2023-29029 JSON
- CVE-2023-29030 JSON
- CVE-2023-29031 JSON
Glossary
Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites
Critical
Published Date:
May 11, 2023
Last Updated:
September 08, 2025
CVE IDs:
CVE-2019-16748, CVE-2020-36177
Products:
PanelView 800
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 8, 2025
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| PanelView™ 800 - 2711R-T4T | V5.011 | V8.011 |
| PanelView™ 800 - 2711R-T7T | V5.011 | V8.011 |
| PanelView™ 800 - 2711R-T10T | V5.011 | V8.011 |
Vulnerability Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.
CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before version 4.6.0 has an out-of-bounds write. This is for certain relationships between key size and digest size. It is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow. This happens if the user has the email feature enabled in the project file where WolfSSL is used. The feature is disabled by default.
Known Exploited Vulnerability (KEV) database:
CVE-2019-16748 IMPACT
In WolfSSL through version 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. There is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c. WolfSSL that is utilized in the PanelView™ 800. This could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used. This feature is disabled by default.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before version 4.6.0 has an out-of-bounds write. This is for certain relationships between key size and digest size. It is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow. This happens if the user has the email feature enabled in the project file where WolfSSL is used. The feature is disabled by default.
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds WriteKnown Exploited Vulnerability (KEV) database:
NoCVE-2019-16748 IMPACT
In WolfSSL through version 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. There is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c. WolfSSL that is utilized in the PanelView™ 800. This could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used. This feature is disabled by default.
CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125 Out-Of-Bounds ReadKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the below risk mitigations.
- Upgrade to V8.011 which has been patched to mitigate these issues.
- Ensure that the email feature is disabled (This is disabled by default).
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.
Additional Resources
Glossary
ASN.1: Abstract Syntax Notation One is a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way
Handshaking: the process of establishing a connection between two devices or systems before actual data transmission begins
Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.
Out-of-Bounds Write: when the software writes data past the end or before the beginning of an intended buffer, leading to data corruption, crashes or code execution
RsaPad_PSS: (RSA-Public Key Signature Scheme) a cryptographic method that uses the RSA algorithm for signing and verifying messages
WolfSSL: a small, portable SSL/TLS library designed for embedded system and RTOS environments
High
Published Date:
May 11, 2023
Last Updated:
September 26, 2025
CVE IDs:
CVE-2023-2444
Products:
FactoryTalk VantagePoint
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1..1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 26, 2025
Affected Products
| Affected Product | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Vantagepoint® | <v8.40 | V8.40 and later |
Vulnerability Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess for security issues.
CVE-2023-2444 IMPACT
A cross site request forgery security issue exists in the affected product. This security issue can be used in two ways. In one way an attacker sends a harmful link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server. A user then clicks the link, and the attacker impersonates the legitimate user and send requests to the affected product.
A second way, an attacker sends an untrusted link to a computer that is not on the same domain as the server. A user then opens the FactoryTalk® Vantagepoint® website and enters credentials for the FactoryTalk® Vantagepoint® server. The user then clicks on the harmful link for a cross site request forgery attack to be successful.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2023-2444 IMPACT
A cross site request forgery security issue exists in the affected product. This security issue can be used in two ways. In one way an attacker sends a harmful link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server. A user then clicks the link, and the attacker impersonates the legitimate user and send requests to the affected product.
A second way, an attacker sends an untrusted link to a computer that is not on the same domain as the server. A user then opens the FactoryTalk® Vantagepoint® website and enters credentials for the FactoryTalk® Vantagepoint® server. The user then clicks on the harmful link for a cross site request forgery attack to be successful.
CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data AuthenticityKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected software should use our security best practices to minimize risks.
- Provide training about social engineering attacks, such as phishing.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Glossary
Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
Phishing: cyberattack that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive data, downloading malware or otherwise exposing themselves to cybercrime
Critical
Published Date:
May 11, 2023
Last Updated:
October 16, 2024
CVE IDs:
CVE-2023-1834
Products:
2198 Kinetix 5500 Drive
CVSS Scores (v3.1):
9.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - May 11, 2023
Version 1.1 - September 10, 2025 - Updated for readability
Affected Products
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| Kinetix 5500 manufactured between May 2022 and January 2023 *The manufacturing date of the drive is stated on the product label. |
v7.13 | Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue. |
Security Issue Details
Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues..
CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023 that are running v7.13. These may have the telnet and FTP ports open by default. This could potentially allow attackers unauthorized access to the device through the open ports.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023 that are running v7.13. These may have the telnet and FTP ports open by default. This could potentially allow attackers unauthorized access to the device through the open ports.
CVSS Base Score: 9.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE 284 Improper Access ControlKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
Risk Mitigation & User Action
Customers using the affected drives should use the risk mitigations and our suggested security best practices to minimize risks..
- Upgrade to v7.14
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Glossary
FTP: (File Transfer Protocol) uses two primary ports for its operations: Port 21 and Port 20. These ports play distinct roles in facilitating file transfers between clients and servers.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Telnet: Teletype Network and is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet
High
Published Date:
May 09, 2023
Last Updated:
September 08, 2025
CVE IDs:
CVE-2023-29460, CVE-2023-29462, CVE-2023-29461
Products:
Arena
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 - May 9, 2023
Version 1.1 - September 8, 2025 - Update for better readability
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version |
| Arena® Simulation Software | V16.00 | 16.20.01 |
Security Issue Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.
CVE-2023-29460 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code to the software by using a memory buffer overflow.
CVE-2023-29460 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code to the software by using a memory buffer overflow.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory BufferKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29461 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory BufferKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-29462 IMPACT
An arbitrary code execution seurity issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory BufferKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software shoud use the below risk mitigations.
- Upgrade to 16.20.01 which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Customer should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks..
Additional Resources
Glossary
Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Memory Buffer Overflow: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior
Critical
Published Date:
April 10, 2023
Last Updated:
April 10, 2023
CVE IDs:
CVE-2020-6967
Products:
FactoryTalk Services Platform
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.3
Revision History
Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations
Executive Summary
The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.
FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.
Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).
FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.
Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).
Affected Products
FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.
Vulnerability Details
CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.
CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268
Risk Mitigation & User Action
Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.
Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.
| Product Family | Suggested Actions |
| FactoryTalk Services Platform V6.31 |
|
| Product Family | Suggested Actions |
|---|---|
| FactoryTalk Services Platform V2.00 – V6.11 | We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:
Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474). |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
- Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
- Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.
Software/PC-based Mitigation Strategies
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Mitigations
- Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
Additional Links
Critical
Published Date:
March 21, 2023
Last Updated:
September 08, 2025
CVE IDs:
CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757
Products:
ThinManager
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 – March 21, 2023 – Initial Version
Version 1.1 - September 8, 2025 - Updated for better readability
Executive Summary
A security issue was discovered by Tenable Security Researchers and reported to Rockwell Automation. This was discovered in the ThinManager® ThinServer™ software. Successful use of this security issue could allow a threat actor to perform remote code execution on the target or crash the software.
Affected Products
| ThinManager ThinServer software | Versions |
| 6.x – 10.x | |
| 11.0.0 – 11.0.5 | |
| 11.1.0 – 11.1.5 | |
| 11.2.0 – 11.2.6 | |
| 12.0.0 – 12.0.4 | |
| 12.1.0 – 12.1.5 | |
| 13.0.0-13.0.1 |
Security Issue Details
CVE 2023-27855 ThinManager ThinServer Path Traversal Upload
A path traversal exists when processing a message. An unauthenticated remote attacker could use this security issue to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content. This could cause a remote code execution.
CVE 2023-27856 ThinManager ThinServer Path Traversal Download
A path traversal exists when processing a message of type 8 in the affected versions. An unauthenticated remote attacker can use this security issue to download arbitrary files on the disk drive where ThinServer.exe is installed.
CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow
A heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can use this security issue to crash ThinServer.exe due to a read access violation.
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HA path traversal exists when processing a message. An unauthenticated remote attacker could use this security issue to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content. This could cause a remote code execution.
CVE 2023-27856 ThinManager ThinServer Path Traversal Download
CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NA path traversal exists when processing a message of type 8 in the affected versions. An unauthenticated remote attacker can use this security issue to download arbitrary files on the disk drive where ThinServer.exe is installed.
CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow
CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HA heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can use this security issue to crash ThinServer.exe due to a read access violation.
Risk Mitigation & User Action
Customers should use the risk mitigations provided and combine these mitigations with the general security guidelines to use the strategies simultaneously.
For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain your environment.
| CVE-2023-27855 CVE-2023-27856 CVE-2023-27857 |
First Known Affected | Fixed Versions |
| 6.x – 10.x | These versions are retired. Please update to the supported version. | |
| 11.0.0 – 11.0.5 | Update to v11.0.6 | |
| 11.1.0 – 11.1.5 | Update to v11.1.6 | |
| 11.2.0 – 11.2.6 | Update to v11.2.7 | |
| 12.0.0 – 12.0.4 | Update to v12.0.5 | |
| 12.1.0 – 12.1.5 | Update to v12.1.6 | |
| 13.0.0 – 13.0.1 | Update to v13.0.2 |
Additional Mitigations
If customers are unable to update to the patched version, the following mitigations should be put in place:- Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.
For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain your environment.
References
Glossary
Heap-Based Buffer Over-Read Condition: a type of buffer overflow flaw where the execution occurs in the heap data area. An over-read condition occurs when a program, while reading data from a buffer, overruns the buffer’s boundary and reads adjacent memory
Path Traversal: allows attackers to access files and directories that are stored outside the intended directory
Medium
Published Date:
March 16, 2023
Last Updated:
October 16, 2024
CVE IDs:
CVE-2023-0027
Products:
1768/1769/5069 CompactLogix, 1756 ControlLogix
CVSS Scores (v3.1):
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Revision Number
1.1
Revision History
Version 1.0 – March 16, 2023
Verion 1.1 -September 26, 2025 - Updated for better readability
Executive Summary
Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a security issue. This security issue is contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This could allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.
Additional details relating to the discovered security issue, including affected products and recommended countermeasures, are provided in this security disclosure.
Affected Products
- Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
- Customers who do not use the AOI with a controller are not impacted.
- The Modbus TCP Client AOI, that is a part of this sample code library, does not have this security issue.
Security Issue Details
CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an threat actor could send a abnormal message. This woud cause the controller to respond with a copy of the most recent response to the last valid request. If used, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this security issue without knowing the Modbus address of the last valid request.
While the Modbus TCP Server AOI is in use, an threat actor could send a abnormal message. This woud cause the controller to respond with a copy of the most recent response to the last valid request. If used, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this security issue without knowing the Modbus address of the last valid request.
CVSS v3.1 Base Score: 5.3/10[medium]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NRisk Mitigation & User Action
Customers using the products should use the following mitigations and apply them to their deployed products.
| Products Affected | First Known Version Affected | Corrected In |
|---|---|---|
| Modbus TCP Add-On Instructions (AOI) Sample Code | 2.00.00 | This issue has been mitigated in the following AOI versions: 2.04.00 and later |
General Security Guidelines
General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.
ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Disclaimer
This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.
ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.
Medium
Published Date:
February 07, 2023
Last Updated:
February 07, 2023
CVE IDs:
CVE-2020-6998
Products:
1769 Compact GuardLogix 5370, 1769 CompactLogix 5370
CVSS Scores:
5.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.2
Revision History
Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section
Executive Summary
CompactLogix™ 5370 and ControlLogix® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.
Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Affected Products
The following products are affected:
- CompactLogix 5370
- Compact GuardLogix 5370
- ControlLogix 5570
- ControlLogix 5570 redundancy
- GuardLogix 5570
Vulnerability Details
CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.
CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:LRisk Mitigation & User Action
Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE-2020-6998
CVE-2020-6998
| Products Affected | First Known Version Affected | Corrected In |
| CompactLogix 5370 ControlLogix 5570 GuardLogix 5570 | 20.011 | 33.011 and later |
| Compact GuardLogix 5370 | 28.011 | 33.011 and later |
| ControlLogix 5570 Redundancy | 20.054 | 33.051 and later |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
General Mitigations
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
January 27, 2023
Last Updated:
September 08, 2025
CVE IDs:
CVE-2019-5097, CVE-2019-5096
Products:
1768/1769/5069 CompactLogix, 1769 Compact I/O, 1732E ArmorBlock I/O, 1756 ControlLogix, 1769 CompactLogix Controllers, 1747 SLC 500, 1756/1769/5069/2080 Chassis-based I/O, 1769 Compact GuardLogix 5370, 1756/5069 GuardLogix
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Version
1.1
Revision History
Version 1.0 – January 27, 2023
Version 1.1 - September 8, 2025
Executive Summary
Rockwell Automation is aware of multiple products that use the GoAhead web server application that are affected by CVE 2019-5096 and CVE 2019-5097. These security issues could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these security issues being usedin Rockwell Automation products.
Customers using the affected products should use the mitigations provided below. Additional details relating to the discovered scurity issues, including impact and recommended countermeasures are below.
Customers using the affected products should use the mitigations provided below. Additional details relating to the discovered scurity issues, including impact and recommended countermeasures are below.
Affected Products
CVE -2019-5096 and CVE 2019-5097
| Catalog Number | Firmware Version |
| 1732E-8CFGM8R/A | 1.012 |
| 1732E-IF4M12R/A (discontinued) | 1.012 |
| 1732E-IR4IM12R/A | 1.012 |
| 1732E-IT4IM12R/A | 1.012 |
| 1732E-OF4M12R/A | 1.012 |
| 1732E-OB8M8SR/A | 1.013 |
| 1732E-IB8M8SOER | 1.012 |
| 1732E-8IOLM12R | 2.011 |
| 1747-AENTR | 2.002 |
| 1769-AENTR | 1.001 |
| 5069-AEN2TR | 3.011 |
| 1756-EN2TR/C | <=11.001 |
| 1756-EN2T/D | <=11.001 |
| 1756-EN2TSC/B (discontinued) | 10.01 |
| 1756-EN2TSC/B | 10.01 |
| 1756-HIST1G/A (discontinued) | <=3.054 |
| 1756-HIST2G/A(discontinued) | <=3.054 |
| 1756-HIST2G/B | <=5.103 |
CVE 2019 -5097
| Catalog Number | Firmware Version |
| ControlLogix® 5580 controllers | V28 – V32* |
| GuardLogix® 5580 controllers | V31 – V32* |
| CompactLogix™ 5380 controllers | V28 – V32* |
| Compact GuardLogix 5380 controllers | V31 – V32* |
| CompactLogix 5480 controllers | V32* |
| 1756-EN2T/D | 11.001* |
| 1756-EN2TR/C | 11.001* |
| 1765–EN3TR/B | 11.001* |
| 1756-EN2F/C | 11.001* |
| 1756-EN2TP/A | 11.001* |
* The security issue is only usable via the Ethernet port. It is not useable via backplane or USB communications.
Security Issue Details
Rockwell Automation was made aware of two third-party security issues that affect the GoAhead embedded web server. A critical security issue (CVE-2019-5096) exists in the way requests are processed by the web server. A threat actor could use this to execute arbitrary code by sending specially crafted HTTP requests to the targeted device.
Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To use this security issue, a threat actor would have to send specially crafted HTTP requests. This would trigger an infinite loop in the process and the targeted device could then crash.
CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To use this security issue, a threat actor would have to send specially crafted HTTP requests. This would trigger an infinite loop in the process and the targeted device could then crash.
CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVSS Base Score: 9.8/10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
CVSS Base Score: 7.5/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HRisk Mitigation & User Action
Customers should use the below mitigations.
| Product | Suggested Actions |
| 1732E-8CFGM8R/A | Refer to Additional Mitigations |
| 1732E-IF4M12R/A | Refer to Additional Mitigations |
| 1732E-IR4IM12R/A | Refer to Additional Mitigations |
| 1732E-IT4IM12R/A | Refer to Additional Mitigations |
| 1732E-OF4M12R/A | Refer to Additional Mitigations |
| 1732E-OB8M8SR/A | Refer to Additional Mitigations |
| 1732E-IB8M8SOER | Refer to Additional Mitigations |
| 1732E-8IOLM12R | Refer to Additional Mitigations |
| 1747-AENTR | Refer to Additional Mitigations |
| 1769-AENTR | Update to 1.003 or later |
| 5069-AEN2TR (discontinued) | Migrate to the 5069-AENTR |
| 1756-EN2T/D | Update to 11.002 or later |
| 1756-EN2TR/C | Update to 11.002 or later |
| 1756-EN3TR/B | Update to 11.002 or later |
| 1756-EN2F/C | Update to 11.002 or later |
| 1756-EN2TP/A | Update to 11.002 or later |
| 1756-EN2TSC/B | Refer to Additional Mitigations |
| 1756-HIST1G/A (discontinued) | Update to series B v5.104 or C 7.100 or later |
| 1756-HIST2G/A (discontinued) | Update to series B v5.104 or C 7.100 or later |
| 1756-HIST2G/B | Update to 5.104 or later |
| 1756-EN2F/C | Update to 11.002 or later |
| ControlLogix 5580 controllers | Update to V32.016 or later |
| GuardLogix 5580 controllers | Update to V32.016 or later |
| CompactLogix 5380 controllers | Update to V32.016 or later |
| Compact GuardLogix 5380 controllers | Update to V32.016 or later |
| CompactLogix 5480 | Update to V32.016 or later |
Additional Mitigations
If updating firmware is not possible or unavailable, customers should use the mitigations to help minimize risks.- Disable the web server, if possible. Review the product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
- For 1732E, upgrade to the latest firmware to disable the web server.
- Configure firewalls to not allow network communication through HTTP/Port 80.
References
Glossary
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
HTTP Requests: (Hypertext Transfer Protocol) primarily used to fetch resources such as HTML documents, images, videos, and scripts. When a user requests a web page, the browser sends an HTTP request to the server, which then responds with the requested resource
High
Published Date:
January 25, 2023
Last Updated:
September 08, 2025
CVE IDs:
CVE-2022-3157
Products:
1756-L71S, Standard Controllers, 1756-L72S, 1756-L73S, 1769 CompactLogix 5370
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section
Version 1.3 - September 8. 2025 - Updated for readability
Executive Summary
Rockwell Automation was made aware of a denial-of-service security issue that impacts several versions of our GuardLogix® and ControlLogix® controllers. Use of this security issue could lead to a breakdown in availability of the controller and/or a major non-recoverable fault (MNRF).
Customers using affected software versions should use the mitigations in this disclosure. Additional details relating to the discovered security issue, including the products in scope, impact, and recommended countermeasures, are below. We have not received any notice of this security issue being used in Rockwell Automation products.
Customers using affected software versions should use the mitigations in this disclosure. Additional details relating to the discovered security issue, including the products in scope, impact, and recommended countermeasures, are below. We have not received any notice of this security issue being used in Rockwell Automation products.
Affected Products
- CompactLogix™ 5370
- Compact GuardLogix 5370
- ControlLogix 5570
- ControlLogix 5570 redundancy
- GuardLogix 5570
Security Issue Details
CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A security issue exists in the Rockwell Automation controllers. It allows a malformed CIP™ request to cause a (MNRF) and a denial-of-service condition (DOS).
A security issue exists in the Rockwell Automation controllers. It allows a malformed CIP™ request to cause a (MNRF) and a denial-of-service condition (DOS).
CVSS Base Score: 8.6/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HRisk Mitigation & User Action
This security issue has been addressed in newer versions of the products. Customers should use risk mitigations below and combine them with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Products Affected |
First Known Version Affected |
Corrected In |
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
|
20.011 |
|
| Compact GuardLogix 5370 | 28.011 |
|
| ControlLogix 5570 Redundancy | 20.054 |
|
Reference
Glossary
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly
High
Published Date:
December 22, 2022
Last Updated:
December 22, 2022
CVE IDs:
CVE-2022-3156
Products:
RSLogix Emulate 5000 / Studio 5000 Logix Emulate
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 22, 2022
Executive Summary
Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Affected Products
Studio 5000 Logix Emulate v.20 – 33
Vulnerability Details
CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.
CVSS Base Score: 7.8/10 (High)
CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Risk Mitigation & User Action
This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
| Vulnerabilities | Product | Suggested Actions |
| CVE-2022-3156 | Studio 5000 Logix Emulate | Customers should upgrade to version 34.00 or later to mitigate this issue. |
References
High
Published Date:
December 13, 2022
Last Updated:
October 16, 2024
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022
Executive Summary
Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Affected Products
- MicroLogix™ 1400 B/C v. 21.007 and below
- MicroLogix™ 1400 A v. 7.000 and below
- MicroLogix™ 1100 all versions
Vulnerability Details
Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.
(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack
(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 7.5 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HRisk Mitigation & User Action
Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
- Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
- Configure firewalls to disallow network communication through HTTP/Port 80
- Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component
Additional Resources
High
Published Date:
December 13, 2022
Last Updated:
October 16, 2024
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores (v3.1):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022
Executive Summary
Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.
Affected Products
- MicroLogix™ 1400 B/C v. 21.007 and below
- MicroLogix™ 1400 A v. 7.000 and below
- MicroLogix™ 1100 all versions
Vulnerability Details
Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.
(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack
(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack
CVSS Base Score: 8.2 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:LRisk Mitigation & User Action
Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
- Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
- Configure firewalls to disallow network communication through HTTP/Port 80
- Upgrade to the Micro800 family as this device does not have the web server component.
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
Additional Resources
High
Published Date:
December 06, 2022
Last Updated:
October 16, 2024
CVE IDs:
CVE-2022-3752
Products:
1756-L83ES, Standard Controllers, 1756-L84ES, 1756-L81ES, 5069 CompactLogix, 1756-L82ES, 5069 Compact GuardLogix 5380
CVSS Scores (v3.1):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 6, 2022
Executive Summary
Rockwell Automation discovered a vulnerability within our Logix Controllers. This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device. Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.
Affected Products
- CompactLogix 5380 controllers
- Compact GuardLogix® 5380 controllers
- CompactLogix 5480 controllers
- ControlLogix 5580 controllers
- GuardLogix 5580 controllers
Vulnerability Details
CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HRisk Mitigation & User Action
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
| Products Affected | First Known Version Affected | Corrected In |
| CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580 | This vulnerability is present in firmware version 31.011 and later | This issue has been mitigated in the following firmware versions:
|
| CompactLogix 5480 | This vulnerability is present in firmware version 32.011 and later |
General Security Guidelines
General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
ADDITIONAL LINKS
Medium
Published Date:
December 01, 2022
Last Updated:
October 16, 2024
Products:
LiveData
CVSS Scores (v3.1):
5.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 1, 2022
Executive Summary
Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.
Affected Products
FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions
Vulnerability Details
FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability. This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability. This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.
CVSS v3.1 Base Score: 5.9/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NRisk Mitigation & User Action
Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.
Suggested Actions
Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.General Security Guidelines
If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.
Network-based Vulnerability Mitigations for Embedded Products
General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Network-based Vulnerability Mitigations for Embedded Products
- Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.
General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Critical
Published Date:
November 17, 2022
Last Updated:
November 17, 2022
CVE IDs:
CVE-2021-20094, CVE-2021-20093, CVE-2021-41057
Products:
FactoryTalk Activation, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
7.5, 9.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 6, 2021
Revision History
Revision Number
2.0
Revision History
Version 2.0 - August 11, 2021 – Removed modified score
Revision History
Revision Number
3.0
Revision History
Version 3.0 – November 22, 2022
Executive Summary
Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG. These vulnerabilities impact FactoryTalk® Activation Manager and Studio 5000 Logix Designer®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- FactoryTalk® Activation Manager v4.00 to v4.05.02
- Includes Wibu-Systems AG CodeMeter v7.20a and earlier
- Studio 5000 Logix Designer® v23.00.01 to v33.00.02
Vulnerability Details
CVE-2021-20093: CWE-126
FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.
Wibu-Systems AG score:
CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE-2021-20094: CWE-126
Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap
Wibu-Systems AG score:
CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-------------------UPDATE: 22 Nov 2022----------------------
CVE-2021-41057: CWE-269
A local attacker could cause a Denial of Service by overwriting existing files on the affected system.
Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Risk Mitigation & User Action
Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a. Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.
During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled. Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection. Default port 22350 is required if activation licenses are hosted from the machine.
Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
| Vulnerability | Suggested Actions |
| CVE-2021-20093 | Update to Factory Talk Activation Manager 4.05.03 or later For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation |
| CVE-2021-20094 | Update to Factory Talk Activation Manager 4.05.03 or later |
| CVE-2021-41057 | Update to Factory Talk Activation Manager 4.06.11 or later |
Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a. Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.
During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled. Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection. Default port 22350 is required if activation licenses are hosted from the machine.
Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
November 01, 2022
Last Updated:
August 15, 2025
CVE IDs:
CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906
Products:
Flex I/O, 1408 PowerMonitor 1000, 1732E ArmorBlock I/O, 1426 PowerMonitor 5000
CVSS Scores (v3.1):
9.8, 9.1, 5.0, 3.7, 3.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Revision Number
8.0
Revision History
Version 8.0 - Ausgust 15, 2025 Updated Kinetix vulnerability discrepancies
Version 7.0 - August 8, 2025 Updated affected products list and user actions
Version 6.0 – August 13, 2024. Updated affected products list and user actions
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.
Executive Summary
Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization. The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.
Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0
Since this disclosure is part of a large multi-party coordination effort with the CERT/CC
Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0
Since this disclosure is part of a large multi-party coordination effort with the CERT/CC
and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
| Affected Product Family | Affected Versions | CVE-2020-XXXXX | ||||||||||||||||||
| 11896 |
11897 | 11898 | 11899 | 11900 | 11901 | 11902 | 11903 | 11904 | 11905 | 11906 | 11907 | 11908 | 11909 | 11910 | 11911 | 11912 | 11913 | 11914 | ||
| 5094-AEN2SFPR/XT 5094-AEN2TR/XT 5094-AENSFPR/XT 5094-AENTR/XT |
1.011-4.011 | X | X | X | X | X | X | |||||||||||||
| 5069-AENTR | 3.011-4.011 | X | X | X | X | X | X | |||||||||||||
| 1734-AENT/R | 4.001- 6.012 | X | X | X | X | X | X | |||||||||||||
| 1738-AENT/R | 4.001- 6.012 | X | X | X | X | X | X | |||||||||||||
| 1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R |
2.011-2.012 | X | X | X | X | X | X | |||||||||||||
| 1791ES-ID2SSIR | 1.001 | |||||||||||||||||||
| 1799ER-IQ10XOQ10 | 2.011 | X | X | X | X | X | X | |||||||||||||
| 1794-AENTR/XT | 1.011-1.017 | X | X | X | X | X | X | |||||||||||||
| 1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR |
1.011-1.015 | X | X | X | X | X | X | |||||||||||||
| 1732E-16CFGM12P5QCWR |
1.011-2.011 | X | X | X | X | X | X | |||||||||||||
| PowerMonitor™ 5000 | 4.19 | X | X | X | X | X | X | X | ||||||||||||
| PowerMonitor 1000 | 4.10 | X | X | X | X | X | X | X | ||||||||||||
| ArmorStart® ST+ Motor Controller | 1.001 | X | X | X | X | X | ||||||||||||||
| Kinetix® 5500 | All* | X | X | X | X | X | ||||||||||||||
| Kinetix® 5700 | All* | X | X | X | X | X | ||||||||||||||
| Kinetix® 5100 | 1.001 | X | X | X | X | X | ||||||||||||||
| PowerFlex 755T PowerFlex 6000T |
All* | X | X | X | X | X | ||||||||||||||
| CIP Safety™ Encoder | All* | X | X | X | X | X | ||||||||||||||
Begin Update 3.0:
| Affected Product Family | Affected Versions | CVE |
| 1734-AENT/R | 4.001- 6.012 | CVE-2020-25066 |
| 1738-AENT/R | 4.001- 6.012 | CVE-2020-25066 |
| 1794-AENTR 1794-AENTR/XT |
1.011- 1.017 | CVE-2020-25066 |
| 1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R |
2.011-2.012 | CVE-2020-25066 |
| 1799ER-IQ10XOQ10 | 2.011 | CVE-2020-25066 |
| 1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR |
1.011-1.015 | CVE-2020-25066 |
| 1732E-16CFGM12P5QCWR | 1.011-2.011 | CVE-2020-25066 |
| PowerMonitor™ 5000 | 4.19 | CVE-2020-25066 |
| PowerMonitor 1000 | 4.10 | CVE-2020-25066 |
Begin Update 6.0
Affected Product Family
|
Affected Versions
|
CVE
|
PowerFlex 527
|
all
|
CVE-2020-25066
|
End Update 6.0
Vulnerability Details
Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.
CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0
CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.
CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.
CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.
CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0
CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.
CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.
CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.
Risk Mitigation & User Action
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
Begin Update 3.0:
End Update 3.0
Available Fixes:
| CVE | Suggested Actions |
CVE-2020-11901 CVE-2020-11906 CVE-2020-11907 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11914 |
For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies. The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page. ICS-CERT has provided additional network mitigations in their public disclosure. |
Begin Update 3.0:
| CVE | Suggested Actions |
| CVE-2020-25066 | Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header. ICS-CERT has provided additional network mitigations in their public disclosure. |
Available Fixes:
Update 8.0 August 15, 2025
CVE
|
Affected Product
|
Suggested Actions
|
CVE-2020-11901
|
1794-AENTR/XT
|
Apply firmware v2.011 or later
|
CVE-2020-11901
|
1738-AENT
1738-AENTR
|
Apply firmware v6.011 or later
|
CVE-2020-11901
|
1734-AENT/K
1734-AENTR/K
|
Apply firmware
-v5.019 or later for series B
-v7.011 or later for series C
|
CVE-2020-11901
|
5069-AENTR
|
Apply firmware v4.012 or later (Download).
|
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
|
5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT
|
Apply firmware v5.012 or later (Download).
|
CVE-2020-11906
|
Kinetix 5700
|
Apply v13 or later (Download).
|
CVE-2020-11906
|
Kinetix 5500
|
Apply v7.013 or later
(Download).
|
CVE-2020-11906
|
Kinetix 5100
|
Apply v3.001 or later
(Download).
|
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
|
PowerFlex 755T
PowerFlex 6000T
|
Apply 6.005 or later for PF755T. Apply R8 or later for PF6000T. (Download)
|
End Update 8.0 August 15, 2025
Update 7.0 August 7, 2025
CVE
|
Affected Product Family
|
Suggested Actions
|
CVE-2020-25066
|
1734-AENT/K
1734-AENTR/K
|
Apply firmware
-v5.019 or later for series B
-v7.011 or later for series C
|
1738-AENT
1738-AENTR
|
Apply firmware v6.011 or later
|
|
1794-AENTR/XT
|
Apply firmware v2.011 or later
|
|
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R
|
Apply firmware 3.011 or later.
|
|
1799ER-IQ10XOQ10
|
Apply firmware 3.011 or later.
|
|
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR
|
Apply firmware 3.011 or later.
|
|
1732E-16CFGM12P5QCWR
|
Apply firmware 3.011 or later.
|
End Update 7.0
Update Begin 6.0
CVE-2020-25066
|
PowerFlex 527
|
Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.
|
End Update Begin 6.0
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Software/PC-based Mitigation Strategies
General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
- Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
Software/PC-based Mitigation Strategies
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Published Date:
October 31, 2022
Last Updated:
October 31, 2022
Products:
FactoryTalk View
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Executive Summary
Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.
High
Published Date:
October 27, 2022
Last Updated:
October 27, 2022
CVE IDs:
CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 5800 Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
6.8, 7.2, 8.8, 6.5, 7.7, 8.6, 4.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 –October 27,2022
Executive Summary
Rockwell Automation is aware of multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Affected Products
- Stratix 5800 Switches
- Stratix 5400/5410 Switches
Vulnerability Details
CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.
CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.
CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.
CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.
CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.
CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.
CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.
CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.
CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.
CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.
CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.
CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.
CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.
CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.
CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.
CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.
CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.
Risk Mitigation & User Action
This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Products Affected | Vulnerabilities | Suggested Actions |
| Stratix 5800 switches | CVE-2020-3209 | Update to Stratix 5800 v.17.04.01 or later |
| CVE 2020-3211 | ||
| CVE 2020-3218 | ||
| CVE 2020-3229 | ||
| CVE 2020-3219 | ||
| CVE-2020-3516 | ||
| CVE 2021-1385 | ||
| CVE-2021-1446 | ||
| Stratix 5800 switches | CVE-2020-3200 | Update to v16.12.01 or later |
| Stratix 5400/5410 switches | CVE-2020-3200 | Update to v15.2(7)E2 or later |
Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.
References
- Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
- Cisco IOS XE Software Web UI Command Injection Vulnerability
- Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
- Cisco IOS and IOS XE Software Secure Shell Denial of Service Vulnerability
- Cisco IOS XE Software Web UI Command Injection Vulnerability
- Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
- Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
- Cisco IOx Application Environment Path Traversal Vulnerability
- Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
High
Published Date:
October 27, 2022
Last Updated:
October 16, 2024
CVE IDs:
CVE-2022-38744
Products:
FactoryTalk View SE, Studio 5000 View Designer
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details
Less Details
Revision History
Revision History
Version 1.0 – October 27, 2022
Executive Summary
Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.
Affected Products
FactoryTalk Alarms and Events server – All versions
Vulnerability Details
CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.
CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.
CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.
| Vulnerability | Suggested Actions |
| CVE-2022-38744 | Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec |
General Security Guidelines
General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Critical
Published Date:
October 07, 2022
Last Updated:
October 07, 2022
CVE IDs:
CVE-2022-3158, CVE-2022-38743
Products:
FactoryTalk Linx OPC UA Connector
CVSS Scores:
9.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 06,2022
Executive Summary
Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Affected Products
FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31
Vulnerability Details
CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.
CVE 2022-38743
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.
CVE 2022-3158
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.
CVE 2022-38743
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.
CVE 2022-3158
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.
| Mitigation A | Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later. BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31 |
| Mitigation B | If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle. |
Additional Links
High
Published Date:
September 23, 2022
Last Updated:
January 28, 2025
CVE IDs:
CVE-2022-0778
CVSS Scores:
7.5, 4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Revision History
Version 1.2 - 28-Jan-2025, Updated Impacted Products (Stratix 4300)
Version 1.1 – 8-Sept-2022, Updated Suggested Actions
Executive Summary
Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.
Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.
Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.
Affected Products
- ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
- FactoryTalk® Linx Gateway (Version 6.30 and earlier)
- Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
- Factory Talk View (Version 11.00 - Version 13.00)
- Stratix 4300 (Versions 4.0.1.117 and earlier)
Vulnerability Details
CVE-2022-0778 Open SSL allows for an infinite loop
This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)
This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.Administrator privileges are needed for this attack to be successful on ThinManager Software.
CVSS v3.1 Base Score: 4.9/10[MEDIUM]CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected |
Suggested Actions |
ThinManager |
This issue has been patched. Customers should follow the patch instructions as follows: |
Factory Talk Linx Gateway |
Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue. |
Factory Talk Linx OPC UA Connector |
Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue. |
Factory Talk View |
Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue. |
Stratix 4300 |
The issue has been patched. Customers should upgrade to v4.0.2.101 |
If an upgrade is not possible or available, customers should consider implementing the following mitigations:
- Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Additional Links
High
Published Date:
September 22, 2022
Last Updated:
September 22, 2022
CVE IDs:
CVE-2022-38742
Products:
ThinManager
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – September 22, 2022 – Initial Version
Executive Summary
A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.
Affected Products
| ThinManager ThinServer software | Versions |
| 11.0.0 – 11.0.4 | |
| 11.1.0 – 11.1.4 | |
| 11.2.0 – 11.2.5 | |
| 12.0.0 – 12.0.2 | |
| 12.1.0 – 12.1.3 | |
| 13.0.0 |
Vulnerability Details
CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow
CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process. This potentially exposes the server to arbitrary remote code execution.
CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process. This potentially exposes the server to arbitrary remote code execution.
Risk Mitigation & User Action
Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| CVE-2022-38742 | Versions Affected | Suggested Actions |
| 11.0.0 – 11.0.4 | Update to v11.00.05 | |
| 11.1.0 – 11.1.4 | Update to v11.01.05 | |
| 11.2.0 – 11.2.5 | Update to v11.02.06 | |
| 12.0.0 – 12.0.2 | Update to v12.00.03 | |
| 12.1.0 – 12.1.3 | Update to v12.01.04 | |
| 13.0.0 | Update to v13.00.01 |
Additional Mitigations
If users are unable to update to the patched version, they should put the following mitigation in place:- Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients
References
CVE-2022-38742
Critical
Published Date:
September 01, 2022
Last Updated:
September 01, 2022
CVE IDs:
CVE-2022-2825, CVE-2022-2848
Products:
Kepserver Enterprise
CVSS Scores:
9.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – September 1, 2022 – Initial Version
Executive Summary
Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.
Affected Products
KEPServer Enterprise – All versions prior to v13.01.00
Vulnerability Details
CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.
CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.
CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.
Risk Mitigation & User Action
| Vulnerability | Suggested Actions |
|---|---|
| CVE-2022-2848 | Customers should update to version 13.01.00 which mitigates these issues |
| CVE-2022-2825 |
If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.
General Security Guidelines
Medium
Published Date:
August 26, 2022
Last Updated:
August 26, 2022
CVE IDs:
CVE-2022-1096
Products:
Using CCW with PanelView Component Terminals, FactoryTalk Linx Gateway, FactoryTalk View SE, Installing CCW, FactoryTalk Linx / RSLinx Enterprise, PowerFlex 6000, Using CCW with Micro800 Controllers, Using CCW with Component Class Drives
CVSS Scores:
4.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions
Executive Summary
Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.
Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.
Affected Products
| Product in Scope | Vulnerable Component | |
| FactoryTalk® Linx Enterprise software v6.20, 6.21, and 6.30 | V6.21 | CefSharp v73.1.130 (EIPCACT feature) |
| V6.30 | CefSharp v91.1.230 (EIPCACT feature) | |
| v6.20 | CefSharp v73.1.130 (Device Config feature) | |
| v6.21 | CefSharp v73.1.130 (Device Config feature | |
| v6.30 | CefSharp v73.1.130 (Device Config feature | |
| Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001 | Electron v4.2.12 | |
| Connected Components Workbench™ software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench | Cefsharp V81.3.100 | |
| FactoryTalk Link Gateway software v6.21 and v6.30 | v6.21 | CefSharp v73.1.130 |
| v6.30 | CefSharp v91.1.230 | |
| FactoryTalk View Site Edition software v.13.0 | WebView2 v96.0.1054.43 | |
Vulnerability Details
Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.
CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Risk Mitigation & User Action
Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.
For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
- Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
- Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
- Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
- DO NOT remove the contents of the folder before pasting the new file.
For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
- Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
References
Critical
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
CVE IDs:
CVE-2021-22681
Products:
SoftLogix5800, 1794 FlexLogix, 1756 ControlLogix, 1769 CompactLogix Controllers, 1769 Compact GuardLogix 5370, 1768 CompactLogix Controllers, 5069 Compact GuardLogix 5380, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.4
Revision History
Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations
Executive Summary
Researchers found that our Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.
FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.
This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.
FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.
This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.
Affected Products
Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.
Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800
Vulnerability Details
CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
For details and further mitigation options, please see the table below.
Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
| Product Family and Version | Risk Mitigation and Recommended User Actions |
| ControlLogix 5580 v32 or later. |
|
| ControlLogix 5580 v31 |
|
| ControlLogix 5570 v31 or later. |
|
| CompactLogix 5380 v28 or later. |
recommended:
|
| CompactLogix 5370 v20 or later |
recommended:
|
| ControlLogix 5580 v28-v30 ControlLogix 5570 v18 or later ControlLogix 5560 v16 or later ControlLogix 5550 v16 GuardLogix 5580 v31 or later GuardLogix 5570 v20 or later GuardLogix 5560 v16 or later 1768 CompactLogix v16 or later 1769 CompactLogix v16 or later CompactLogix 5480 v32 or later Compact GuardLogix 5370 v28 or later Compact GuardLogix 5380 v31 or later FlexLogix 1794-L34 v16 DriveLogix 5370 v16 or later |
|
| SoftLogix 5800 |
|
Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
- Monitor controller change log for any unexpected modifications or anomalous activity.
- If using v17 or later, utilize the Controller Log feature.
- If using v20 or later, utilize Change Detection in the Logix Designer Application.
- If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls. Including, but not limited to:
CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products. CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.
As of May 5, 2021, a new mitigation option is now available. The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security. See below for how this product can be deployed to address CompactLogix based applications.
Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.
*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls. Including, but not limited to:
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
- Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
- Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products. CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.
As of May 5, 2021, a new mitigation option is now available. The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security. See below for how this product can be deployed to address CompactLogix based applications.
Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.
*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
CVE IDs:
CVE-2022-2463, CVE-2022-2465, CVE-2022-2464
Products:
AADvance, ISaGRAF, Trusted
CVSS Scores:
6.1, 7.7, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected
Executive Summary
Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- ISaGRAF Workbench v6.0 though v6.6.9
- AADvance-Trusted Safety Instrumented System Workstation v1.1 and below
Vulnerability Details
CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution
ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2022-2463: Improper input sanitization may lead to privilege escalation
ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability | Product | Suggested Actions |
| CVE-2022-2463 CVE-2022-2464 CVE-2022-2465 | ISaGRAF Workbench | Upgrade to ISaGRAF Workbench v6.6.10 or later. |
| CVE-2022-2463 CVE-2022-2464 | AAdvance-Trusted SIS Workstation | Upgrade to AADvance-Trusted SIS Workstation 1.2 or later |
| CVE-2022-2465 | AAdvance-Trusted SIS Workstation | It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue. |
If immediate upgrade is not possible, customers should consider implementing the following mitigations:
- Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Critical
Published Date:
July 14, 2022
Last Updated:
July 14, 2022
Products:
FactoryTalk Analytics DataView
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – July 14, 2022
Executive Summary
Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Affected Products
- FactoryTalk® Analytics™ DataView v.3.03.01 and below
Vulnerability Details
Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.
CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
References
Medium
Published Date:
July 07, 2022
Last Updated:
July 07, 2022
CVE IDs:
CVE-2022-2179
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores:
6.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – July 7, 2022
Executive Summary
Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Affected Products
- MicroLogix™ 1400 v. 21.007 and below
- MicroLogix™ 1100 all versions
Vulnerability Details
Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.
(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
- Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
- Configure firewalls to disallow network communication through HTTP/Port 80
References
Medium
Published Date:
June 17, 2022
Last Updated:
June 17, 2022
CVE IDs:
CVE-2022-1797
Products:
1769 Compact GuardLogix 5370, 1756/5069 GuardLogix, 1768/1769/5069 CompactLogix, 1756 ControlLogix
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.4
Revision History
Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section
Executive Summary
Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.
Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.
Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.
Affected Products
- CompactLogix™ 5380 controllers
- Compact GuardLogix® 5380 controllers
- CompactLogix 5480 controllers
- ControlLogix® 5580 controllers
- GuardLogix 5580 controllers
- CompactLogix 5370 controllers
- Compact GuardLogix 5370 controllers
- ControlLogix 5570 controllers
- GuardLogix 5570 controllers
Vulnerability Details
CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.
CVSS v3.1 Base Score: 6.8/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H Risk Mitigation & User Action
Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
If applying mitigation A or B is not possible, customers should consider implementing the following solutions:
| Products Affected | Version Affected | Suggested Actions |
| CompactLogix 5380 | Versions prior to 32.016 | Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004. |
| Compact GuardLogix 5380 | ||
| CompactLogix 5480 | ||
| ControlLogix 5580 | ||
| GuardLogix 5580 | ||
| CompactLogix 5370 | Versions prior to 33.016 | Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004. |
| Compact GuardLogix 5370 | ||
| ControlLogix 5570 | ||
| GuardLogix 5570 | ||
| ControlLogix 5570 Redundancy | Versions prior to 33.053 | Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004. |
If applying mitigation A or B is not possible, customers should consider implementing the following solutions:
- Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Critical
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
CVE IDs:
CVE-2021-22681, CVE-2022-1161
Products:
5069 Compact GuardLogix 5380, 1769 CompactLogix Controllers, 1769 CompactLogix 5370, 1756/5069 GuardLogix, 1768 CompactLogix Controllers, ControlLogix Hardware
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations
Detailed Information
Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.
An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.
An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.
Affected Products
- 1768 CompactLogix™ controllers
- 1769 CompactLogix controllers
- CompactLogix 5370 controllers
- CompactLogix 5380 controllers
- CompactLogix 5480 controllers
- Compact GuardLogix® 5370 controllers
- Compact GuardLogix 5380 controllers
- ControlLogix® 5550 controllers
- ControlLogix 5560 controllers
- ControlLogix 5570 controllers
- ControlLogix 5580 controllers
- GuardLogix 5560 controllers
- GuardLogix 5570 controllers
- GuardLogix 5580 controllers
- FlexLogix™ 1794-L34 controllers
- DriveLogix™5730 controllers
- SoftLogix™ 5800 controllers
Vulnerability Details
[CVE-2022-1161]: Modification of PLC Program Code
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The following types of code are affected by this vulnerability – indicated by an X:
An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The following types of code are affected by this vulnerability – indicated by an X:
| Product | Structured Text (ST) | Ladder Diagrams (LD) | Function Block Diagram (FBD) | Sequential Function Chart (SFC) | Add-On Instructions (AOI) |
| 1768 CompactLogix | X | Not affected | X | X | X |
| 1769 CompactLogix | X | Not affected | X | X | X |
| CompactLogix 5370 | X | Not affected | X | X | X |
| CompactLogix 5380 | X | X | X | X | X |
| CompactLogix 5480 | X | X | X | X | X |
| Compact GuardLogix 5370 | X | Not affected | X | X | X |
| Compact GuardLogix 5380 | X | X | X | X | X |
| ControlLogix 5550 | X | Not affected | X | X | X |
| ControlLogix 5560 | X | Not affected | X | X | X |
| ControlLogix 5570 | X | Not affected | X | X | X |
| ControlLogix 5580 | X | X | X | X | X |
| GuardLogix 5560 | X | Not affected | X | X | X |
| GuardLogix 5570 | X | Not affected | X | X | X |
| GuardLogix 5580 | X | X | X | X | X |
| FlexLogix 1794-L34 | X | Not affected | X | X | X |
| DriveLogix 5730 | X | Not affected | X | X | X |
| SoftLogix 5800 | X | Not affected | X | X | X |
Risk Mitigation & User Action
We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.
| Product Family | Risk Mitigation and Recommended User Actions |
| ControlLogix 5570 ControlLogix 5580 GuardLogix 5570 GuardLogix 5580 CompactLogix 5380 Compact GuardLogix 5380 | Risk Mitigation A:
Risk Mitigation B: Implement CIP Security™ to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include:
|
We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
| Product Family | Risk Mitigation and Recommended User Actions |
| 1768 CompactLogix 1769 CompactLogix CompactLogix 5370 CompactLogix 5480 ControlLogix 5560 GuardLogix5560 | Risk Mitigation A:
If keeping controller mode switch in Run is impractical, then use the following mitigation:
|
In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.
Exploitation Detection Method:
The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:- On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
- Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
- The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
- Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Software/PC-based Mitigation Strategies
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).
Additional Links
- PN1354 - Industrial Security Advisory Index.
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- NVD - CVE-2022-1161 (nist.gov)
High
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
CVE IDs:
CVE-2022-1159
Products:
RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations
Detailed Information
Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .
Affected Products
Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:
- ControlLogix® 5580 controllers
- GuardLogix® 5580 controllers
- CompactLogix™ 5380 controllers
- CompactLogix 5480 controllers
- Compact GuardLogix 5380 controllers
Vulnerability Details
[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.
This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.
CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Studio 5000 Logix Designer compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.
This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.
CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.
Compensating Controls:
- Apply the Windows Hardening Guidance found in QA63609 - Recommended guidelines for hardening software, computer, device, and network systems and infrastructure (CIS Benchmarks) to help minimize risk of the vulnerability.
- Secure their workstations by referencing Rockwell Automation Configure System Security Features publication SECURE-UM001A. This publication also describes how to detect attempts to exploit this vulnerability on a compromised workstation using Windows® security audit features – see page 51.
Exploitation Detection Method:
The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:- On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
- Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
- The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
- Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).
Additional Links
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
Products:
FactoryTalk Linx Gateway
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – May 6, 2022
Executive Summary
On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.
We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.
We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.
Affected Products
We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.
Products that use OPC UA servers:
Products that use OPC UA servers:
- FactoryTalk® Linx Gateway
- Editions include embedded, basic, standard, extended distributed, professional
- Versions include 6.10, 6.11, 6.20, 6.21 and 6.30
Risk Mitigation & User Action
We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:
- Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
- Chapter 4 - UA Server Endpoints - Endpoint Properties
- Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
- Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
- Set system policies - Account Policy Settings
- Set audit policies - Monitor security-related events
General Security Guidelines
Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com
See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com
Additional Links
Published Date:
May 04, 2022
Last Updated:
May 04, 2022
Products:
FactoryTalk ProductionCentre
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – May 4, 2022
Executive Summary
Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk® ProductionCentre v10.04 and earlier
Vulnerability Details
As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.
| Apache ActiveMQ Version 5.15.0 | Dom4J Version 1.61 |
| Apache Common BeanUtils Version 1.9.0 | Hibernate ORM Version 3.3.2 |
| Apache CXF Version 3.1.10 | Jackson Databind Version 2.1.4 |
| Apache Http Client Version 4.5.2 | JasperReports Library Version 6.2.0 |
| Apache Santuario (Java) 2.0.8 | Java Platform Standard Edition Version 8u181 |
| Apache Xalan Version (Java) 2.7.1 | JBoss Remoting Version 4.0.22.Final |
| Apache Xerces2J Version 2.11.0.SP5 | JGroups Version 2.12.2 Final |
| Bouncy Castle Version 1.36, 1.44, 1.55 | Spring Framework Versions 2.5.5, 4.3.8-4.3.9 |
| Cryptacular Version 1.51 | Undertow Core Versions 1.0.10.Final |
| Codehaus XFire Version 0.9.5.2 | Velocity.apache.org Version 1.7 |
Risk Mitigation & User Action
Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.
- Apply security recommendations found in the FactoryTalk® ProductionCentre Knowledgebase Article IN39626 - Security Recommendations for FactoryTalk ProductionCentre to help minimize the risk of these third-party vulnerabilities.
- Deploy network segmentation, when possible, per our standard deployment recommendations.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Additional Links
- PN1354 - Industrial Security Advisory Index
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- Hardening Guidance (CIS Benchmarks)
High
Published Date:
April 04, 2022
Last Updated:
April 04, 2022
CVE IDs:
CVE-2022-1118
Products:
Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – April 4, 2022
Executive Summary
Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- Connected Components Workbench v13.00.00 and below.
- ISaGRAF Workbench v6.0-v6.6.9
- Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)
Vulnerability Details
CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
| Products Affected | Suggested Actions |
|---|---|
| Connected Components Workbench Versions 13.00 and below | Customers should update to version 20.00, which mitigates this vulnerability. |
| ISaGRAF Workbench Versions 6.0-6.6.9 | It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue. |
| SIS Workstation Versions 1.2 and below (for Trusted Controllers) | It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue. |
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
- Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)
Additional Links
Critical
Published Date:
January 21, 2022
Last Updated:
December 01, 2024
CVE IDs:
CVE-2021-4104, CVE-2021-45046, CVE-2019-17571, CVE-2021-44228
Products:
Production Management
CVSS Scores (v3.1):
10, 3.7, 8.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Revision History
Revision Number
2.2
Revision History
Version 1.0 – 12-Dec-2021. Initial Version
Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected
Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc
Version 1.1 – 15-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions
Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected
Version 2.0 – 19-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions, etc.
Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc
Executive Summary
On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.
Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.
Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.
Affected Products
Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.
| Product Affected | Versions Affected |
| Plex (A Rockwell Automation Company) Industrial Internet of Things | All Versions < 2.17 |
| Fiix (A Rockwell Automation Company) CMMS™ core V5 | This product is cloud-based and has been updated for all customers. |
| Warehouse Management | 4.01.00, 4.02.00, 4.02.01, 4.02.02 |
| EIG (Discontinued) | 3.03.00 |
| Industrial Data Center | 9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5 |
| VersaVirtual™ Application | 9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A |
| FactoryTalk® Analytics™ DataFlowML | All Versions until 4.00.00 (including) |
| FactoryTalk Analytics DataView | All |
| Firewall Managed Support – Cisco FirePOWER® Thread Defense | 9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0 |
Vulnerability Details
CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.
CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
| Vulnerability | Products Affected | Suggested Actions |
| CVE-2021-44228 | Plex Industrial IoT | This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time. No user action is required. |
| Fiix CMMS core V5 | The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required. | |
| Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02 | Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability. | |
| MES EIG 3.03.00 | This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions. | |
| Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5 | - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298. - For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274 |
|
| VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A | - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. |
|
| FactoryTalk Analytics DataFlowML | Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01. | |
| FactoryTalk Analytics DataView 3.02 | Customers are required to upgrade from 3.02 to 3.03.01. Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00. | |
| Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0 | - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963. |
|
| CVE-2021-45046, CVE-2021-4104, CVE-2019-17571 |
No products affected at this time. | |
Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:
Products Evaluated and Not Affected |
Suggested Actions |
| Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00 | No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable. |
| Data Scheduler | |
| FactoryTalk Augmented Modeler | |
| Factory Talk Analytics Data Flow ML 2.01 | |
| Factory Talk Analytics Information Platform | |
| Live Transfer 10.4, 11.0 | |
| Pavilion8 | |
| Factory Talk Analytics Security Provider 3.02.00, 3.03.00 | |
| PanelView 5000 | |
| FactoryTalk Production Centre (All Versions) | |
| Factory Talk Pharma Suite (All Versions) |
|
| Studio 5000 View Designer | Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable. Note: Studio 5000 consists of Studio 5000 Logix Designer and Studio 5000 View Designer. If Logix Designer is the only component required, then View Designer version 8 or older may be removed by uninstalling it using the Windows Add/Remove Programs feature. Uninstall “Studio 5000 View Designer”. This will remove the log4j 1.2x library completely. Alternatively, update Studio 5000 View Designer to version 9 or later which has updated log4j libraries that are not vulnerable. |
General Security Guidelines
See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- Visit links below for more mitigation techniques
NVD - CVE-2021-44228 (nist.gov)
NVD - CVE-2021-45046 (nist.gov)
NVD - CVE-2021-4104 (nist.gov)
- NVD - CVE-2019-17571 (nist.gov)
Apache Log4j Vulnerability Guidance | CISA
Log4j – Apache Log4j Security Vulnerabilities
PN1354 - Industrial Security Advisory Index
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
Critical
Published Date:
December 30, 2021
Last Updated:
December 30, 2021
CVE IDs:
CVE-2020-25184, CVE-2020-25180, CVE-2020-25176, CVE-2020-25182, CVE-2020-25178
Products:
AADvance, ISaGRAF, Micro800
CVSS Scores:
9.1, 7.8, 5.3, 7.5, 6.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision Number
1.3
Revision History
Version 1.3 – March 19th, 2024. Added AADvance Eurocard controller to Affected Products and Updated Suggested Actions for AADvance Eurocard controller
Version 1.2 - December 30, 2021. Updated Suggested Actions for AADvance® Controller version 1.40 and earlier
Executive Summary
Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:
- AADvance® Controller version 1.32 and earlier
- ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
- Micro800™ family, all versions
Vulnerability Details
CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.
CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.
CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.
CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.
CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved. A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.
CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.
CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.
CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.
CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.
CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved. A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.
CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
| Vulnerability | Affected Products | Suggested Mitigations |
| CVE-2020-25176 | AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller |
Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
| CVE-2020-25178 | AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller |
Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
| CVE-2020-25182 | ISaGRAF5 Runtime | Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. |
| CVE-2020-25184 | AADvance Controller ISaGRAF5 Runtime AADvance Eurocard controller |
Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
| CVE-2020-25180 | AADvance Controller
|
To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041 |
General Security Guidelines
- Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
- Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
- Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
December 16, 2021
Last Updated:
December 16, 2021
CVE IDs:
CVE-2019-5097, CVE-2019-5096
Products:
Network Address Translation (NAT) Device
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate
Executive Summary
Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Detailed Information
CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution
A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.CVSS v3.1 Base Score: 9.8/10[Critical}
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.
A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
1783-NATR version 1.005
Risk Mitigation & User Action
Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability | Suggested Actions |
| CVE-2019-5096 | Upgrade firmware to version 1.006 to mitigate this vulnerability. |
| CVE-2019-5097 | Upgrade firmware to version 1.006 to mitigate this vulnerability. |
General Security Guidelines
Network-based vulnerability mitigations for embedded products
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .
General mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Additional Links
Critical
Published Date:
August 11, 2021
Last Updated:
October 04, 2024
CVE IDs:
CVE-2019-12260, CVE-2019-12265, CVE-2019-12257, CVE-2019-12258, CVE-2019-12256, CVE-2019-12255, CVE-2019-12263, CVE-2019-12262, CVE-2019-12264, CVE-2019-12261, CVE-2019-12259
Products:
Network Address Translation (NAT) Device, 5069 Compact I/O, 1732E ArmorBlock I/O, Ethernet/IP Connected Products, High-Frequency RFID, 1756 ControlLogix I/O
CVSS Scores (v3.1):
9.8, 8.8, 7.5, 8.1, 6.3, 7.1, 5.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
October 1, 2024 – Version 1.6 Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.
Revision History
Revision Number
1.1
Revision History
09-October-2019 - Updated Advisory
On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.
Revision History
Revision Number
1.2
Revision History
16-November-2019 - Updated Advisory
Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.
Revision History
Revision Number
1.3
Revision History
2-November-2020. Corrected suggested actions.
The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.
Revision History
Revision Number
1.4
Revision History
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.
Revision History
Revision Number
1.5
Revision History
04-August-2021 – Version 1.5 Updated firmware available for 1747-AENTR and 1769-AENTR
Revision History
1.6
October 1, 2024 – Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module
Executive Summary
Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.
Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
Product Family
|
Catalogs
|
CVE-2019-12255
|
CVE-2019-12256
|
CVE-2019-12257
|
CVE-2019-12258
|
CVE-2019-12259
|
CVE-2019-12260
|
CVE-2019-12261
|
CVE-2019-12262
|
CVE-2019-12263
|
CVE-2019-12264
|
CVE-2019-12265
|
CompactLogix™ 5480 (EPIC controller)
|
5069-L4
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
Compact 5000™ I/O EtherNet/IP Adapter
|
5069-AEN2TR
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
ControlLogix® 5580 (+ GuardLogix®)
|
1756-L8
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
CompactLogix Compact GuardLogix 5380
|
5069-L3
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
CompactLogix 5370
|
1769-L3
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
CompactLogix GuardLogix 5370
|
1769-L3S
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
CompactLogix 5370
|
1769-L2
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
CompactLogix 5370
|
1769-L1
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2TSC/A
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2TSC/B
|
x
|
x
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2T/C
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2T/D
|
x
|
x
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN4TR
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2TP/A
|
x
|
x
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2TR/B
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2TR/C
|
x
|
x
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN3TR/A
|
x
|
x
|
x
|
x
|
|
|
x
|
|
|
|
|
ControlLogix EtherNet/IP Module
|
1756-EN3TR/B
|
x
|
x
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
X
|
ControlLogix EtherNet/IP Module
|
1756-EN2F/B
|
x
|
x
|
x
|
x
|
|
|
x
|
|
|
|
|
ControlLogix EtherNet/IP Module
|
1756-EN2F/C
|
x
|
x
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ControlLogix EtherNet/IP Module
|
1756-EN2TRXT
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
1783-NATR, Network Address Translation Router
|
1783-NATR
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock® I/O Modules
|
1732E-8CFGM8R
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-IB8M8SOER
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-IF4M12R
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-IR4M12R
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-IT4M12R
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-OB8M8SR
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-OF4M12R
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
ArmorBlock I/O Modules
|
1732E-8IOLM12R
|
|
x
|
|
x
|
|
x
|
x
|
x
|
x
|
x
|
x
|
Bulletin 56RF High-Frequency RFID
|
56RF-IN-IPD22
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
Bulletin 56RF High-Frequency RFID
|
56RF-IN-IPD22A
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
Bulletin 56RF High-Frequency RFID
|
56RF-IN-IPS12
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
SLC™ 500 EtherNet/IP Adapter
|
1747-AENTR
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
CompactLogix E/IP Adapter
|
1769-AENTR
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
Kinetix® 6200 Servo Multi-axis Drives
|
2094-SE02F-M00-Sx
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
Kinetix® 6500 Servo Multi-axis Drives
|
2094-EN02D-M01-Sx
|
x
|
|
x
|
x
|
|
|
x
|
x
|
x
|
x
|
x
|
Vulnerability Details
Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.
CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.
CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.
CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.
Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.
CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.
Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.
CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.
Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.
Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.
Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.
CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.
Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.
CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.
Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.
CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.
Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.
CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.
Risk Mitigation & User Action
Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.
- Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
- Take the suggested actions for the products in the table below:
| Product | Catalog Numbers | Suggested Actions |
CompactLogix™ 5480 (EPIC Controller)
|
5069-L4
|
Upgrade to firmware version 32.013 (Download) or later.
|
Compact 5000™ I/O EtherNet/IP Adapter
|
5069-AEN2TR
|
Will not be patched. Suggested action is to migrate to the 5069-AENTR.
|
ControlLogix EtherNet/IP Module
|
1756-EN2TSC/A
|
Will not be patched as it has been discontinued.
|
ControlLogix EtherNet/IP Module
|
1756-EN2T/D
1756-EN3TR/B
|
Upgrade to firmware version 11.002 (Download) or later.
|
ControlLogix EtherNet/IP Module
|
1756-EN2T/C
1756-EN2F/B
1756-EN2TR/B
1756-EN3TR/A
|
No fix . Upgrade to 1756-EN2T/D, 1756-EN2TP/A, 1756-EN2TR/C, 1756-EN2F/C
|
ControlLogix 5580
|
1756-L8
|
Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later.
|
GuardLogix 5580
|
1756-L8S
|
Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.
|
CompactLogix 5380
|
5069-L3
|
Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later.
|
Compact GuardLogix 5380
|
5069-L3S2
|
Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.
|
CompactLogix 5370
|
1769-L3
|
Upgrade to firmware version 32.013 (Download) or later.
|
CompactLogix GuardLogix 5370
|
1769-L3S
|
Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later.
|
1783-NATR, Network Address Translation Route
|
1783-NATR
|
Upgrade to firmware version 1.005 (Download) or later.
|
Kinetix® 6200 Servo Multi-axis Drives
|
2094-SE02F-M00-Sx
|
Upgrade to firmware version 1.050 (Download) or later.
|
Kinetix® 6500 Servo Multi-axis Drives
|
2094-EN02D-M01-Sx
|
Upgrade to firmware version 3.005 (Download) or later.
|
SLC 500 EtherNet/IP Adapter
|
1747-AENTR
|
Upgrade to firmware version 2.003 (Download) or later.
|
CompactLogix E/IP Adapter
|
1769-AENTR
|
Upgrade to firmware version 1.002 (Download) or later.
|
General Security Guidelines
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- URGENT/11 General Overview, Technical Overview – Armis
- Security Vulnerability Response Information – WindRiver
- ICS-ADVISORY (ICSA-19-274-01) - Interpeak IPnet TCP/IP Stack
High
Published Date:
August 09, 2021
Last Updated:
September 09, 2025
CVE IDs:
CVE-2020-25767, CVE-2020-35684, CVE-2020-35685, CVE-2021-31400, CVE-2021-36762, CVE-2020-25926, CVE-2021-31226, CVE-2021-31401, CVE-2021-31228, CVE-2020-25928, CVE-2020-25927, CVE-2021-31227, CVE-2020-27565, CVE-2020-35683
Products:
AADvance, 1715 Distributed I/O, 1715 Redundant I/O, ArmorStart
CVSS Scores:
8.2, 4.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
2.0
Revision History
Version 2.0 - September 9, 2025
Version 1.0 – August 9, 2021
Executive Summary
Rockwell Automation received a report from CERT/CC with research done by Forescout Technologies and Vdoo regarding fourteen vulnerabilities in the products listed below. If successfully exploited, these vulnerabilities may result in the products faulting and/or ceasing communications, requiring the power to be cycled to the product to recover.
Customers using affected versions of these products are encouraged to evaluate the following mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.
Update 2.0 - September 9, 2025
Fix available for 1715-AENTR vulnerabilities
Product |
Vulnerability |
Affected Versions |
Remediation |
1715-AENTR |
CVE-2020-35683 CVE-2020-35684 CVE-2020-35685 CVE-2021-31400 CVE-2021-31401
|
Firmware 3.003 and previous |
Upgrade to Version 3.011 or later. |
Affected Products
| 20-COMM-ER | All Versions |
| ArmorStart 28xE | All Versions |
| 1715-AENTR | All Versions |
| AADvance Safety Controller | All Versions |
| AADvance Eurocard Controllers | All Versions |
Vulnerability Details
CVE-2020-25767: Malformed DNS Response could cause a device to fault
A REMOTE, UNAUTHENTICATED attacker may be able to form a malformed response to a DNS request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-25928: Malformed DNS Response could cause a device to fault due to a heap overflow.
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in a heap-buffer overflow resulting in a possible information leak, remote code execution, or the device to fault and/or cease communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 9.8/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-25927: Malformed DNS Response could cause a device to fault.
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in an Out-of-Bounds read resulting in a device fault and/or cessation of communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 8.2/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVE-2020-25926: Insufficiently randomized transaction IDs could facilitate DNS cache poisoning attacks
A REMOTE, UNAUTHENTICATED attacker may be able to poison the DNS cache of the device due to transaction IDs not being properly randomized.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2020-27565: Malformed HTTP request could cause a device to fault
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-35683: Malformed ICMP packet could cause a device to fault
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-35684: Malformed ICMP packet could cause a device to fault
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-35685: TCP connections may be hikjacked due to an insufficiently random source
A REMOTE, UNAUTHENTICATED attacker may be able to hijack a TCP connection and spoof the device’s network connections.
See the links at the end of the article to obtain more technical information regarding this vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-31400: Malformed TCP segment could cause device to fault
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP segment, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-31401: Malformed TCP header could cause device to fault
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP header, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-31226: Malformed HTTP POST request could cause device to fault or bypass authentication
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle, or possibly bypassing an authentication attempt.
See the links at the end of the article to obtain more technical information regarding the vulnerability.
Researcher CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVE-2021-31227: Malformed HTTP POST request could cause device to fault by overwriting memory
A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.
Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2021-31228: Non-random source port could lead to a spoofed DNS response
A REMOTE, UNAUTHENTICATED attacker may be able to spoof a DNS response, which would result in the device communicating with a potentially malicious server.
See the links at the end of the article to obtain more technical information regarding the vulnerability.
Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2021-36762: TFTP packet processing function does not ensure that the filename is null-terminated
Rockwell Automation is not impacted by this vulnerability
Risk Mitigation & User Action
Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
| Product | Vulnerability | Mitigation |
| 20-COMM-ER | CVE-2021-31226 CVE-2021-31227 |
Disable the webserver. See the product’s user manual for the procedure to do this. |
General Security Guidelines
- Use proper network infrastructure controls, such as firewalls, to help confirm that DNS traffic from unauthorized sources is blocked.
- Block traffic to port 80 (HTTP) and ICMP traffic using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- 20-COMM-ER user manual, publication 20COMM-UM015B-EN-P
- ICSA-21-217-01
- https://www.hcc-embedded.com/support/security-advisories
- https://www.forescout.com/resources/infrahalt-discovering-mitigating-large-scale-ot-vulnerabilities
- https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack/
- https://jfrog.com/blog/infrahalt-14-new-security-vulnerabilities-found-in-nichestack/
- https://literature.rockwellautomation.com/idc/groups/literature/documents/um/20comm-um015_-en-p.pdf
High
Published Date:
July 09, 2021
Last Updated:
July 09, 2021
CVE IDs:
CVE-2021-33012
Products:
1763 MicroLogix 1100
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 9, 2021. Initial Release
Executive Summary
Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- MicroLogix 1100, all versions.
Vulnerability Details
CVE-2021-33012: Persistent fault may lead to denial of service conditions.
A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.
Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
| Vulnerability | Suggested Actions |
| CVE-2021-33012 | Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller. |
A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.
Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICSA-21-189-01
High
Published Date:
June 10, 2021
Last Updated:
June 10, 2021
CVE IDs:
CVE-2021-32960
Products:
FactoryTalk Services Platform
CVSS Scores:
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 10, 2021. Initial Release.
Executive Summary
Rockwell Automation discovered a vulnerability in FactoryTalk® Security, part of FactoryTalk Service Platform. This vulnerability, if successfully exploited, may allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name. These policies may be important to customers who are concerned about users at an engineering workstation having ‘line-of-site’ visibility to the systems they are operating.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.
Vulnerability Details
CVE-2021-32960: FactoryTalk Security protection mechanism failure for remote desktop connections
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.
CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.
CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
If upgrade is not possible, customers should consider the following guidance:
| Vulnerability | Suggested Actions |
| CVE-2021-32960 | Apply FactoryTalk Services Platform v6.20 or later. |
If upgrade is not possible, customers should consider the following guidance:
- When possible, do not utilize remote desktop connections.
- Use Microsoft® Event Logger or similar event logging application to monitor atypical remote desktop connections and disconnections. Information on Setting up Windows® Event Logs is available at Knowledgebase Article QA5965.
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Medium
Published Date:
May 25, 2021
Last Updated:
May 25, 2021
CVE IDs:
CVE-2021-32926
Products:
Micro800, 1766 MicroLogix 1400
CVSS Scores:
6.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – May 25, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Adeen Ayub from Virginia Commonwealth University, Hyunguk Yoo from The University of New Orleans, and Irfan Ahmed from Virginia Commonwealth University regarding a man-in-the-middle vulnerability in the Micro800™ and MicroLogix™ 1400. If successfully exploited, this vulnerability may result in denial-of-service conditions. To recover from this condition, a firmware flash on the controller will need to be performed. Firmware flashing will put the controller into the default state and the user program and data will be lost.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
Micro800, all versions.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.
Vulnerability Details
CVE-2021-32926: Improper authentication may lead to denial of service conditions
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected controllers are directed towards risk mitigation. Rockwell Automation has determined that this vulnerability cannot be remediated with a patch. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller. The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
| Vulnerability | Suggested Actions |
| CVE-2021-32926 | Confirm that setting and updating the password for the controller is done within a trusted network environment that is only accessible to authorized users. |
If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller. The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.
General Security Guidelines
- Use proper network infrastructure controls, such as firewalls, to confirm that CIP™ traffic from unauthorized sources is blocked.
- Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
May 13, 2021
Last Updated:
May 13, 2021
CVE IDs:
CVE-2021-27473, CVE-2021-27471, CVE-2021-27475
Products:
Connected Components Workbench
CVSS Scores:
6.1, 7.7, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 13, 2021. Initial Release.
Executive Summary
Rockwell Automation received a report from Mashav Sapir of Claroty regarding three vulnerabilities in Connected Components Workbench™. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
Connected Components Workbench v12.00.00 and below.
Vulnerability Details
CVE-2021-27475: Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
If upgrade is not possible, customers should consider deploying the following mitigations:
| Vulnerability | Suggested Actions |
| CVE-2021-27475 CVE-2021-27471 CVE-2021-27471 | Upgrade to Connected Components Workbench v13.00.00 or later. (Link) |
If upgrade is not possible, customers should consider deploying the following mitigations:
- Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft® AppLocker or another similar allow list application that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
April 28, 2021
Last Updated:
April 28, 2021
CVE IDs:
CVE-2016-20009
Products:
5069 CompactLogix, Communications Modules, 1769 CompactLogix Controllers, 1756 ControlLogix
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 26, 2021. Initial release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.
Executive Summary
On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.
Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.
Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.
Affected Products
| Product Family | Catalogs | Affected Versions |
| Compact 5000™ I/O EtherNet/IP Adapter | 5069-AEN2TR | All versions. |
| CompactLogix 5370 | 1769-L1y 1769-L2y 1769-L3y | All versions prior to v30. |
| 1769-L3yS | All versions prior to v30, excluding v28.015 | |
| ControlLogix® 5580 | 1756-L8 | All versions prior to v30. |
| CompactLogix 5380 | 5069-L3 | All versions prior to v30. |
| ControlLogix EtherNet/IP Module | 1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A | All versions prior to v11.001. |
| 1756-EN2TP/A | All versions prior to v10.020. |
Note: GuardLogix® 5580 and Compact GuardLogix® 5380 are not affected by this vulnerability.
Vulnerability Details
CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.
CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.
CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Catalogs | Suggested Actions |
| Compact 5000™ I/O EtherNet/IP Adapter | 5069-AEN2TR | Will not be patched. Suggested action is to migrate to the 5069-AENTR. |
| CompactLogix 5370 | 1769-L1y 1769-L2y 1769-L3y | Apply v30 or later. |
| 1769-L3yS | Apply v28.015 or v30 or later | |
| ControlLogix® 5580 | 1756-L8 | Apply v30 or later. |
| CompactLogix 5380 | 5069-L3 | Apply v30 or later. |
| ControlLogix EtherNet/IP Module | 1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A | Apply v11.001 or later. |
| 1756-EN2TP/A | Apply v10.020 or later. |
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- CVE-2016-20009
Critical
Published Date:
April 01, 2021
Last Updated:
April 01, 2021
CVE IDs:
CVE-2021-27466, CVE-2021-27460, CVE-2021-27474, CVE-2021-27468, CVE-2021-27470, CVE-2021-27462, CVE-2021-27464, CVE-2021-27476, CVE-2021-27472
Products:
FactoryTalk AssetCentre
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – April 1, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding nine vulnerabilities in FactoryTalk® AssetCentre software. These vulnerabilities, if successfully exploited, may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk AssetCentre, v10.00 and earlier.
Vulnerability Details
CVE-2021-27462: Deserialization of untrusted data in AosService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
| Vulnerability | Suggested Actions |
| CVE-2021-27462 CVE-2021-27466 CVE-2021-27470 CVE-2021-27474 CVE-2021-27476 CVE-2021-27472 CVE-2021-27468 CVE-2021-27464 CVE-2021-27460 | Apply FactoryTalk AssetCentre v11 or above (Download). As an additional mitigation, customers who are unable to upgrade or are concerned about unauthorized client connections are encouraged to deploy IPsec, a built in security feature found within FactoryTalk AssetCentre. Users should follow guidance found in QA46277. IPsec would minimize exposure to unauthorized clients and has been tested in FactoryTalk AssetCentre v9 – v11. |
General Security Guidelines
Software/PC-based Mitigation Strategies
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Medium
Published Date:
March 28, 2021
Last Updated:
March 28, 2021
CVE IDs:
CVE-2022-1018
Products:
Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.0 – March 28, 2021
Executive Summary
Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- Connected Component Workbench Version 12.00 and Below
- ISaGRAF Workbench 6.6.9 and below
- Safety Instrumented Systems Workstation 1.1 and below
Vulnerability Details
CVE-2022-1018 XML External Entity Leads to Information Leak
When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.
As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.
CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.
As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.
CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
| Product | Suggested Actions |
| Connected Components Workbench Version 12.00 and below | Customers should update to Version 13.00 which mitigates this vulnerability. |
| ISaGRAF Workbench 6.6.9 and below | It is recommended that customers follow the guidelines below until a patch is available. |
| SIS Workstation 1.1 and below | Customers should update to version 1.2 which mitigates this vulnerability. |
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
- Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
High
Published Date:
March 26, 2021
Last Updated:
March 26, 2021
CVE IDs:
CVE-2021-1452, CVE-2021-1442, CVE-2021-1443, CVE-2021-1392, CVE-2021-1403, CVE-2021-1220, CVE-2021-1352
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 8300 L3 Modular Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 8000 Modular Managed Switch
CVSS Scores:
7.8, 7.4, 6.8, 4.3, 5.5, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - March 26, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
| CVE ID | Affected Product Family | Affected Versions |
| CVE-2021-1392 | Stratix 5800 | 16.12.01 and earlier |
| Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400 | 15.2(7)E3 and earlier | |
| Stratix 8300 | All Versions | |
| CVE-2021-1403 | Stratix 5800 | 16.12.01 and earlier |
| CVE-2021-1352 | Stratix 5800 | 17.04.01 and earlier, if DECnet is enabled. |
| CVE-2021-1442 | Stratix 5800 | 16.12.01 and earlier |
| CVE-2021-1452 | Stratix 5800 | 16.12.01 and earlier |
| CVE-2021-1443 | Stratix 5800 | 17.04.01 and earlier |
| CVE-2021-1220 CVE-2021- 1356 | Stratix 5800 | 17.04.01 and earlier |
Vulnerability Details
CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.
CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.
CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.
CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.
Plug and Play is disabled after Express Setup has completed.
CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.
CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.
CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.
CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.
CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.
CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.
CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.
Plug and Play is disabled after Express Setup has completed.
CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.
CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.
CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N
CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.
CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Risk Mitigation & User Action
Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.
Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
| CVE ID | Affected Product Family | Affected Firmware Versions | Suggested Actions |
| CVE-2021-1392 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400 | 15.2(7)E3 and earlier | Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed. | |
| Stratix 8300 | All Versions | Migrate to contemporary solution. | |
| CVE-2021-1403 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| CVE-2021-1352 | Stratix 5800 | 17.04.01 and earlier, if DECnet is enabled. | If possible, disable DECnet protocol completely or on select interfaces. To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. |
| CVE-2021-1442 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| CVE-2021-1452 | Stratix 5800 | 16.12.01 and earlier | Apply version 17.04.01 or later. |
| CVE-2021-1443 | Stratix 5800 | 17.04.01 and earlier | Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed. |
| CVE-2021-1220 CVE-2021- 1356 | Stratix 5800 | 17.04.01 and earlier | Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
High
Published Date:
March 04, 2021
Last Updated:
March 04, 2021
CVE IDs:
CVE-2020-14504, CVE-2020-14502
Products:
1734 Point I/O
CVSS Scores:
7.5, 4.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 4, 2021. Initial Release.
Executive Summary
Rockwell Automation received a report from Adam Eliot of the Loon Security Team regarding two vulnerabilities in the web interface of the 1734-AENTR Series B and Series C communications module. If successfully exploited, these vulnerabilities may lead to data modification on the device.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
1734-AENTR Series B, versions 4.001 to 4.005, and 5.011 to 5.01.
1734-AENTR Series C, versions 6.011 and 6.012.
1734-AENTR Series C, versions 6.011 and 6.012.
Vulnerability Details
CVE-2020-14504: Unauthenticated HTTP POST Requests
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request which may allow for modification of the configuration settings.
CVSSv3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-14502: Stored Cross Site Scripting (XXS)
The web interface of the 1734-AENTR Communications module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the “Home” page of the web interface.
CVSS v3.1 Base Score: 4.7/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request which may allow for modification of the configuration settings.
CVSSv3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-14502: Stored Cross Site Scripting (XXS)
The web interface of the 1734-AENTR Communications module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the “Home” page of the web interface.
CVSS v3.1 Base Score: 4.7/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Risk Mitigation & User Action
Customers using the affected 1734-AENTR Series B and Series C are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability Details | Recommended User Actions |
| CVE-2020-14504 CVE-2020-14502 | 1734-AENTR Series B, update to firmware version 5.018. (Download). 1734-AENTR Series C, update to firmware version 6.013. (Download). |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
General Mitigations
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
High
Published Date:
February 15, 2021
Last Updated:
February 15, 2021
CVE IDs:
CVE-2021-22665
Products:
9303 DriveTools SP
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.1
Executive Summary
Rockwell Automation received a report from both Cim Stordal of Cognite and Claroty regarding a vulnerability in DriveTools™ and Drives AOP. If successfully exploited, this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity, and availability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to both Cognite and Claroty for their work discovering this vulnerability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to both Cognite and Claroty for their work discovering this vulnerability.
Affected Products
DriveExecutive v5.13 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.
Vulnerability Details
CVE-2021-22665: Privilege Escalation Vulnerability due to Uncontrolled Search Path Element
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.
CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.
CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Customers using affected versions can reach out to their account manager or distributor to request a newer version.
| Vulnerability | Suggested Actions |
| CVE-2021-22665 | Apply DriveTools SP v5.14 or later Download). Apply Drives AOP v4.13 or later (Download). |
Customers using affected versions can reach out to their account manager or distributor to request a newer version.
General Security Guidelines
Software/PC-based Mitigation Strategies
General Mitigations
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 .
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
High
Published Date:
February 02, 2021
Last Updated:
February 02, 2021
CVE IDs:
CVE-2020-6085, CVE-2020-6084, CVE-2020-6088, CVE-2020-6083, CVE-2020-6087, CVE-2020-6086
Products:
Flex I/O, 1794 Flex, 1794/5094 Distributed I/O
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.1
Revision History
November 4, 2020 - Version 1.1. Updated Vulnerability Details.
October 12, 2020 - Version 1.0. Initial Version.
Revision History
Revision Number
2.0
Revision History
February 2, 2021 - Version 2.0. Updated Risk Mitigation & User Actions.
Executive Summary
Rockwell Automation received a report from Jared Rittle of Cisco Talos regarding three vulnerabilities in the 1794-AENT Flex I/O Series B adapter. If successfully exploited, these vulnerabilities may lead to denial-of-service conditions.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
1794-AENT Flex I/O, Series B, versions 4.003 (and earlier).
Vulnerability Details
CVE-2020-6083: Denial of Service due to Ethernet/IP Request Path Port Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.
CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected firmware versions are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
| Vulnerabilities | Affected Products | Suggested Mitigations |
| CVE-2020-6083 CVE-2020-6084 CVE-2020-6085 CVE-2020-6086 CVE-2020-6087 CVE-2020-6088 | 1794-AENT Flex I/O, Series B, firmware versions 4.003 and earlier | Version 2.0: Apply firmware v4.004 (download). Version 1.0: It is recommended for customers to use this module in the Cell Area/Zone (Level 1) as defined on page 16 of the System Security Design Guidelines and only accept CIP connections from trusted sources via port 44818. For successful exploitation, these vulnerabilities require Ethernet/IP packets to reach the destination device. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Social Engineering Mitigation Strategies
General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Social Engineering Mitigation Strategies
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).
High
Published Date:
January 28, 2021
Last Updated:
January 28, 2021
CVE IDs:
CVE-2021-22659
Products:
1766 MicroLogix 1400
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 28, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS, Veermata Jijabai Technological Institute (VJTI), India regarding a vulnerability in the MicroLogix™ 1400 controller. If successfully exploited, this vulnerability may result in denial-of-service conditions.
This vulnerability does not impact MicroLogix 1400 controller users who have Modbus TCP disabled.
Customers using affected versions of this controller are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
MicroLogix 1400, all series version 21.6 and below.
Vulnerability Details
CVE-2021-22659: Buffer Overflow may lead to Denial-of-Service Conditions
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.
CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.
CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
Risk Mitigation & User Action
Customers using the affected controller are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.
All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Software/PC-based Mitigation Strategies
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls (such as firewalls) to help ensure Modbus TCP from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
Software/PC-based Mitigation Strategies
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
- Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Medium
Published Date:
January 25, 2021
Last Updated:
January 25, 2021
CVE IDs:
CVE-2014-0755
Products:
Logix Designer
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
2.0
Revision History
Version 2.0 – January 25, 2021 – Advisory updated for clarification.
Revision History
Revision Number
1.0
Revision History
Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.
Executive Summary
It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000® and Studio 5000 Logix Designer® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.
Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.
Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.
Vulnerability Details
CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.
CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.
CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N
Risk Mitigation & User Action
Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.
For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.
| Vulnerability Details | Recommended User Actions |
| CVE-2014-0755 | Risk Mitigation Strategy A: For stronger protection, apply License Source Protection introduced in v26. To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection Risk Mitigation Strategy B: In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:
|
IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.
For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.
General Security Guidelines
Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
January 22, 2021
Last Updated:
January 22, 2021
CVE IDs:
CVE-2020-5806, CVE-2020-5801, CVE-2020-5802, CVE-2020-5807
Products:
FactoryTalk Linx Gateway, FactoryTalk Services Platform, FactoryTalk Linx / RSLinx Enterprise
CVSS Scores:
7.5, 6.2, 4.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
2.0
Revision History
Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.
Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.
Version 1.0 - December 27, 2020. Initial Version.
Executive Summary
Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.
Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
| Vulnerability | Affected Products |
| CVE-2020-5801 | FactoryTalk Linx version 6.20 and earlier. |
| CVE-2020-5802 | FactoryTalk Linx version 6.20 and earlier. |
| CVE-2020-5806 | FactoryTalk Linx versions 6.10, 6.11, and 6.20. |
| CVE-2020-5807 | FactoryTalk Services Platform version 6.20 and earlier. |
Vulnerability Details
CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.
CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.
CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.
CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.
CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Risk Mitigation & User Action
Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
Version 3.0: Correction
Version 3.0: Correction
| Vulnerability | Suggested Actions |
| CVE-2020-5801 CVE-2020-5802 | Version 2.0: Apply patch found in BF26285. Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 . |
| CVE-2020-5806 | Version 3.0: Apply patch found in BF26287 |
| CVE-2020-5807 | For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID BF7490.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use Microsoft® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Do not open untrusted .ftd files with FactoryTalk Services Platform.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
January 20, 2021
Last Updated:
January 20, 2021
CVE IDs:
CVE-2020-0601
Products:
FactoryTalk Analytics for Devices, FactoryTalk Analytics LogixAI, 1756 ControlLogix I/O
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
2.0
Revision History
Version 2.0 - January 20, 2021 - Updated Risk Mitigations and Recommended User Actions.
Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020
Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020
Executive Summary
On Tuesday, January 14, 2020, Microsoft issued a patch and advisory addressing a major crypto vulnerability affecting Windows 10, Windows 10 IoT Core and Enterprise, and Windows Server 2016 and 2019. This vulnerability, identified as CVE-2020-0601, is also being referred to as "CurveBall," and is a vulnerability that exists in the way Crypt.32.dll validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability breaks the chain of trust and could allow an attacker to sign a malicious executable, allow interception and modification of TLS-encrypted traffic, or spoof Authenticode code signing certificates. The National Security Agency (NSA) coordinated the information and release of this vulnerability with Microsoft.
The Rockwell Automation® Product Security Incident Response Team (PSIRT) has been tracking this vulnerability since its release. At the time of writing, Rockwell Automation products are not being directly targeted, but are impacted by vulnerable Windows 10 IoT installations. Please see the Affected Products for a full list of potentially affected Rockwell Automation products.
An investigation is ongoing. Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as information becomes available.
Affected Products
Microsoft Windows 10 IoT Core and Enterprise editions are impacted by this vulnerability. At of the time of publishing, the following Rockwell Automation products are impacted by CVE-2020-0601:
- CompactLogix 5480 Controllers
- FactoryTalk Analytics for Devices
- FactoryTalk Analytics LogixAI
- ControlLogix Compute Module (1756-CMS1B1)
Vulnerability Details
CVE: 2020-0601: Windows CryptoAPI Spoofing Vulnerability
Description: A vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
- Microsoft Assigned CVSSv3.0 Base Score: 8.1
- Microsoft Assigned CVSSv3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Risk Mitigation & User Action
Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and assessment.
| Vulnerability | Rockwell Automation Product | Suggested Actions |
| CVE-2020-0601 |
| Microsoft released a patch for affected versions of Windows on January 14, 2020. |
| CVE-2020-0601 |
| Install the Microsoft Cumulative Security Updates on FactoryTalk Analytics LogixAI, refer to QA58887. |
Otherwise, Rockwell Automation will provide a firmware update for the products noted. Patches are not yet available for these products. When the patches are available, this article will be updated.
| Vulnerability | Rockwell Automation Product | Suggested Actions |
| CVE-2020-0601 |
| To reduce risk, customers should ensure they are employing proper network segmentation and security controls. |
Customers using Rockwell Automation industrial compute solutions, such as VersaView computers, Industrial Data Centers, etc, are recommended to regularly inventory and patch their host operating systems.
Update on 1/31/2020: Rockwell Automation MS Patch Qualification team successfully qualified the Microsoft patch related to Curveball. Full results and other useful information can be found here.
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
- Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
January 19, 2021
Last Updated:
January 19, 2021
CVE IDs:
CVE-2020-6111
Products:
1763 MicroLogix 1100
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 19, 2021. Iniital Release.
Executive Summary
Rockwell Automation received a report from the Cisco® Talos™ team, regarding a vulnerability in the Allen-Bradley® MicroLogix™ 1100 controller. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.
Customers using affected versions of this controller are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this controller are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
MicroLogix 1100, all versions.
Vulnerability Details
CVE-2020-6111: Improper Processing IPv4 Packets may result in Denial-of-Service Conditions
A vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100. This vulnerability could allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. This event would lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
A vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100. This vulnerability could allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. This event would lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected controllers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
| Vulnerability | Suggested Actions |
| CVE-2020-6111 | Migrate to MicroLogix 1400 and apply firmware v21.006 or later. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware key mode setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Medium
Published Date:
January 14, 2021
Last Updated:
January 14, 2021
CVE IDs:
CVE-2021-3011
Products:
5069-L330ERMS2K, 5069-L340ERMS2, PowerFlex 6000, 5069-L3100ERS2, PowerFlex 755, 5069-L3100ERMS2, 5069-L306ERMS2, 2198 Kinetix 5700 Drive, iTRAK, 5069-L350ERMS2K, 5069-L320ERMS2K, 5069-L320ERMS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L320ERS2K, 5069-L350ERS2K, 5069 Compact GuardLogix 5380, 5069-L380ERMS2, PowerFlex 755T, 1756 ControlLogix, 5069-L350ERMS2, 5069-L380ERS2
CVSS Scores:
4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 14, 2021. Initial Release.
Executive Summary
A report has been released regarding a vulnerability in the NXP 7x series microcontroller. If successfully exploited, this vulnerability may result in the extraction of a unique private key. This unique key is used to verify the authenticity of the affected Rockwell Automation® products.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- 1756-EN2T
- 1756-EN4T
- 1756-EN4TR
- ControlLogix® 5580 Series
- 1756-L81EK, -L82EK, -L83EK, -L84EK, -L85EK
- 1756-L81EP, -L83EP, -L85EP
- 1756-L81E-NSE, 1756-L82E-NSE, 1756-L83E-NSE, 1756-L84E-NSE, 1756-L85E-NSE
- 1756-L81EXT, 1756-L82EXT, 1756-L83EXT, 1756-L84EXT, 1756-L85EXT
- GuardLogix 5580 Series
- 1756-L81ES, -L82ES, -L83ES, -L84ES, -L8SP
- 1756-L81ESK, -L82ESK, -L83ESK, -L84ESK, -L8SPK
- Compact GuardLogix® 5380 Series
- 5069-L306ERMS2
- 5069-L306ERMS3
- 5069-L306ERS2
- 5069-L3100ERMS2
- 5069-L3100ERMS3
- 5069-L3100ERS2
- 5069-L310ERMS2
- 5069-L310ERMS3
- 5069-L310ERS2
- 5069-L320ERMS2
- 5069-L320ERMS2K
- 5069-L320ERMS3
- 5069-L320ERMS3K
- 5069-L320ERS2
- 5069-L320ERS2K
- 5069-L330ERMS2
- 5069-L330ERMS2K
- 5069-L330ERMS3
- 5069-L330ERMS3K
- 5069-L330ERS2
- 5069-L330ERS2K
- 5069-L340ERMS2
- 5069-L340ERMS3
- 5069-L340ERS2
- 5069-L350ERMS2
- 5069-L350ERMS2K
- 5069-L350ERMS3
- 5069-L350ERMS3K
- 5069-L350ERS2
- 5069-L350ERS2K
- 5069-L380ERMS2
- 5069-L380ERMS3
- 5069-L380ERS2
- CompactLogix™ 5380 Series
- 5069-L306ER
- 5069-L306ERM
- 5069-L310ER
- 5069-L310ER-NSE
- 5069-L310ERM
- 5069-L320ER
- 5069-L320ERM
- 5069-L320ERMK
- 5069-L320ERP
- 5069-L330ER
- 5069-L330ERM
- 5069-L330ERMK
- 5069-L340ER
- 5069-L340ERM
- 5069-L340ERP
- 5069-L350ERM
- 5069-L350ERMK
- 5069-L380ERM
- 5069-L3100ERM
- 5069-AEN2TR
- CompactLogix™ 5480 Series
- 5069-L4100ERMW
- 5069-L4200ERMW
- 5069-L430ERMW
- 5069-L450ERMW
- 5069-L46ERMW
- iTRAK® 5730 Small Frame
- iTRAK 5750C
- Kinetix® 5700 Series B - DAI, HPI, LFI, AFE
- PowerFlex® 6000T
- PowerFlex 755 TL
- PowerFlex 755 TM
- PowerFlex 755 TR
Vulnerability Details
CVE-2021-3011: Side-Channel Leakage of Unique ECC Private Key on NXP 7X Series Chip
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.
CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.
CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Risk Mitigation & User Action
Rockwell Automation encourages customers, when possible, to follow industry best practices for physical access including, but not limited to:
• Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
• Providing training and communication to personnel to raise awareness of threats.
• Implementing physical barriers such as locked cabinets.
Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
• Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
• Providing training and communication to personnel to raise awareness of threats.
• Implementing physical barriers such as locked cabinets.
Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
General Security Guidelines
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- CVE-2021-3011
High
Published Date:
January 11, 2021
Last Updated:
January 11, 2021
CVE IDs:
CVE-2020-12525
Products:
FactoryTalk AssetCentre
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
January 11, 2021. Initial Version.
Executive Summary
Rockwell Automation received a report from M&M Software regarding vulnerabilities in the fdtCONTAINER component. fdtCONTAINER is distributed as part of FactoryTalk® AssetCentre software. If successfully exploited, this vulnerability may result in remote code execution.
This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk AssetCentre v9.00.00 and below with Process Device Configuration or Calibration Management capabilitiy.
Vulnerability Details
CVE-2020-12525: Deserialization of Untrusted Data May Result in Remote Code Execution
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk AssetCentre are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
To deny access to PDC Field Edition:
| Vulnerability | Suggested Actions |
| CVE-2020-12525 | Deny access to PDC Field Edition. To do this, follow the steps below. |
To deny access to PDC Field Edition:
- Open FactoryTalk Admin Console
- Select “System”
- Select “Policies”
- Select “FactoryTalk AssetCentre”
- Open “Feature Security Properties”
- Locate “Run PDC Field Edition” under “Process Device Configuration Policies” and select the ellipses (…) next to “Configure Security”.
- Select the “Deny” Checkboxes for “Administrators” and “All Users”
- Select “OK”
- Select “Apply”
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Software/PC-based Mitigation Strategies
- Do not use standalone PDC Field Edition
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use Microsoft® AppLocker or another similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted files with FactoryTalk AssetCentre.
- Do not click or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
December 17, 2020
Last Updated:
December 17, 2020
CVE IDs:
CVE-2020-27267, CVE-2020-27263
Products:
ThingWorx Industrial Connectivity, ThingWorx, Kepserver Enterprise
CVSS Scores:
7.5, 9.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - December 17, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding vulnerabilities in the Kepware OPC UA server interface for KEPServer Enterprise, ThingWorx® Kepware Server, and ThingWorx Industrial Connectivity. If successfully exploited, these vulnerabilities may result in the product ceasing to function. This may cause the following impacts: a loss of ability to configure the application, a loss of data, a loss of data acquisition, or a loss communication with control system assets.
Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
KEPServer Enterprise, versions 6.6.504.0; 6.9.572.0
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions
Vulnerability Details
CVE-2020-27263: Heap-based Buffer Overflow
The affected products are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC message could all a remote attacker to crash the server and potentially leak data.
CVSS v3.1 Base Score: 9.1 [Critical]
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE-2020-27267: Use After Free
The affected products are vulnerable to a use after free vulnerability, which may allow an attacker to create and close OPC UA connections at a high rate that may cause a server to crash. Successful exploitation of this vulnerability may result in denial-of-service conditions.
CVSS v3.1 Base Score: 7.5 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these options with the general security guidelines to employ multiple strategies simultaneously.
PTC recommends that users upgrade to the most current supported version.
PTC recommends that users upgrade to the most current supported version.
| Recommended User Actions | ||||
| Base Version | ||||
| Affected Product | 6.6 | 6.7 | 6.8 | 6.9 |
| KEPServer Enterprise (Download) | Apply version 6.6.550.0 | -- | -- | Apply version 6.9.584.0 |
| Thingworx Kepware Server (Download) | -- | -- | Apply version 6.8.839.0 | Apply version 8.9.584.0 |
| Thingworx Industrial Connectivity (Download) | Apply version 8.4 (6.6.362.0) | Apply version 8.5(6.7.1068) | -- | -- |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02
Critical
Published Date:
November 24, 2020
Last Updated:
November 24, 2020
CVE IDs:
CVE-2020-27251, CVE-2020-27255, CVE-2020-27253
Products:
FactoryTalk Linx Gateway
CVSS Scores:
8.6, 9.8, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - November 24, 2020. Initial Release.
Executive Summary
Rockwell Automation PSIRT received a report from Claroty, an industrial security product vendor and research company, regarding three vulnerabilities in FactoryTalk® Linx software. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, controlling of the execution flow or information disclosure. If the vulnerabilities are chained together, it may be possible to achieve remote code execution.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to Claroty for discovering this vulnerability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to Claroty for discovering this vulnerability.
Affected Products
FactoryTalk Linx v6.11 and earlier.
Vulnerability Details
CVE-2020-27251: Remote Code Execution due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).
CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).
CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Risk Mitigation & User Action
Customers using the affected FactoryTalk Linx are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability Details | Recommended User Actions |
| CVE-2020-27253 CVE-2020-27251 CVE-2020-27255 | For FactoryTalk Linx v6.10 and v6.11 see Patch Answer ID BF25509 Additionally, the user could move to v6.20 which is available on the PCDC |
General Security Guidelines
Software/PC-based Mitigation Strategies
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID QA17329.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Published Date:
October 30, 2020
Last Updated:
October 30, 2020
Products:
Stratix 5700 Managed Switch
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - October 30, 2020. Initial Release.
Executive Summary
Rockwell Automation’s PSIRT received a report from Amazon regarding a weakness on the Stratix 5700 switch. This weakness is a result of HTTP session management not being a feature of classic Cisco IOS. This may result in unauthenticated access to the web interface if an attacker gains access to the authenticated user’s computer after the “Logout” button has been selected. Rockwell Automation’s PSIRT has collaborated with the Cisco PSIRT to inform customers of this weakness. While this button’s function may lead the user to believe the session is being cleared, the product specifications do not advertise HTTP session management as a function. Both PSIRTs, to be transparent, see the importance of sharing this issue along with potential mitigation options.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Affected Products
Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches –
- All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.
Details
On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.
If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.
Risk Mitigation & User Action
As of 26-OCT-2020, the following releases incorporate the new HTTP session management code: 15.9(3)M2, 15.9(3)M2a and 15.2(7)E3. Going forward, it is the intention of Cisco for this HTTP session management feature to be implemented in all future Cisco IOS classic releases.
If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.
If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.
- Terminate the browser when finished – closing the tab or window is NOT enough
General Security Guidelines
Software/PC-based Mitigation Strategies
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
Published Date:
October 02, 2020
Last Updated:
October 02, 2020
Products:
Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, ProcessPak, Integration Manager, SOS, dsShopLib, RSLogix 500, Arena, Foundation Server, Shop Operations, Reporting (form based), RSView32 WebServer, Database, FactoryTalk ViewPoint, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Studio 5000 View Designer, 650R Non-Display Computers, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, Operator Certification, RSLogix 5, Live Transfer, 6181 Computers, 1450R Non-Display Computers, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSLogix Emulate 5, Build Utility, Shop Operation, Foundation Client, NCR/CAR/IQA, RSView32, FactoryTalk Activation, Purge, FactoryTalk Historian SE, WSIntegrate, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, Documentation, Activities, ETL, Historical Transfer, ECO, 6180 Computers with Keypad, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, Administration, 6155 Compact Computers, Production Execution Client, Installation, 6181X Hazardous Integrated Display, Dashboard, JD Edwards, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, Knowledge Installation, Sampling Plans, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Reports (Out-of-box), PlantMetrics, API, FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, Process Designer, Reports (Custom), Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, PlantPAx, Complaint Handling, Pavilion, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Claims of ransomware masquerading as an Allen-Bradley Update
Description
begin ignore
Version 2.0 - July 8th 2016
Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").
Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.
File Name Hash Type Hash Value Allenbradleyupload.zip MD5 b552a95bd3eceb1770db622a08105f52 SHA-1 4dbba01786068426c032a7524e31668f2435d181 SHA-256 e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df Allenbradleyupload.exe MD5 49067f7b3995e357c65e92d0c7d47c85 SHA-1 5f8c4246fc24d400dffef63f25a44b61932b13af SHA-256 97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88
Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.
Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.
BACKGROUND
Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.
According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".CUSTOMER RISK MITIGATIONS
Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.
- Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.
- Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.
- Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)
- Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
- Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
- Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
end ignore
KCS Status
Released
Critical
Published Date:
September 18, 2020
Last Updated:
September 18, 2020
CVE IDs:
CVE-2020-14517, CVE-2020-16233, CVE-2019-14519, CVE-2020-14519, CVE-2020-14515, CVE-2020-14509, CVE-2020-14513
Products:
FactoryTalk Activation
CVSS Scores:
7.4, 8.1, 9.4, 7.5, 10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
4.0
Revision History
Version 4.0 -- September 18, 2020. Update to reflect current mitigations. Updated links.
Version 3.0 -- September 16, 2020. Update to reflect current remediations and information from Wibu. See update below.
Version 2.1 -- September 15, 2020. Update to adjust language.
Version 2.0 -- September 14, 2020. Update regarding affected CodeMeter versions and vulnerability information.
Version 1.0 – September 08, 2020
Version 3.0 -- September 16, 2020. Update to reflect current remediations and information from Wibu. See update below.
Version 2.1 -- September 15, 2020. Update to adjust language.
Version 2.0 -- September 14, 2020. Update regarding affected CodeMeter versions and vulnerability information.
Version 1.0 – September 08, 2020
Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities, if successfully exploited, may result in remote code execution, privilege escalation, or denial of service conditions to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell Automation software products.
Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.
Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.
Affected Products
FactoryTalk Activation (FTA) Manager v4.05.00 and earlier running Wibu-Systems CodeMeter v7.10 or earlier.
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who use the products from the following list in their install base contain FactoryTalk Activation Manager.- Arena® software
- Emonitor® software
- FactoryTalk® AssetCentre software
- FactoryTalk® Batch software
- FactoryTalk® EnergyMetrix™ software
- FactoryTalk® eProcedure® software
- FactoryTalk® Gateway software
- FactoryTalk® Historian Site Edition (SE) software
- FactoryTalk® Historian Classic software
- FactoryTalk® Information Server software
- FactoryTalk® Metrics software
- FactoryTalk® Transaction Manager software
- FactoryTalk® VantagePoint® software
- FactoryTalk® View Machine Edition (ME) software
- FactoryTalk® View Site Edition (SE) software
- FactoryTalk® ViewPoint software
- RSFieldbus™ software
- RSLinx® Classic software
- RSLogix 500® software
- RSLogix 5000® software
- RSLogix™ 5 software
- RSLogix™ Emulate 5000 software
- RSNetWorx™ software
- RSView®32 software
- SoftLogix™ 5800 software
- Studio 5000 Architect® software
- Studio 5000 Logix Designer® software
- Studio 5000 View Designer® software
- Studio 5000® Logix Emulate™ software
Vulnerability Details
CVE-2020-14509: Arbitrary Command Execution Due to Buffer Access with Incorrect Length Value of CodeMeter
The packet parsing mechanism of CodeMeter does not verify its length field values causing it to access memory outside the bounds of the buffer. This may allow an attacker to execute arbitrary commands by sending a specifically crafted packet. This out of bounds memory access could also lead to relevant memory corruption causing denial-of-service conditions by crashing the CodeMeter server
CVSS v3.1 Base Score: 10.0/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-14517: Arbitrary Command Execution Due to the Inadequate Encryption Strength of CodeMeter
A vulnerability exists in the encryption scheme of CodeMeter, which allows a bypass of the protection mechanism, enabling the server to accept external connections without authentication. This may allow an attacker to remotely communicate with the CodeMeter API, access and modify application data.
CVSS v3.1 Base Score: 9.4/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)
CVE-2019-14519: Denial-of-Service Conditions Due to the Origin Validation Errors of CodeMeter
The API of the WebSocket internals of CodeMeter does not provide authentication on its WebSocket services. This may allow an attacker to cause denial-of-service conditions by sending a specifically crafted JavaScript payload allowing alteration or creation of license files.
CVSS v3.1 Base Score: 8.1/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CVE-2020-16233: Denial-of-Service Conditions Due to the Improper Resource Release of CodeMeter
A vulnerability exists in the internal program resource management of CodeMetermanagement, which allows the disclosure of heap memory. This may allow an attacker to cause denial-of-service conditions by triggering an intentional resource leak.
CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-14513: Denial-of-Service Conditions Due to Improper Input Validation of CodeMeter
A vulnerability exists in the input validation method of CodeMeter that can affect its program control flow or data flow. This may allow an attacker to alter the control flow and cause denial-of-service conditions to CodeMeter and any product dependencies by using a specifically crafted license file.
CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-14515: Denial-of-Service Condition or Data Modification due to Improper Verification of a Cryptographic Signature in CodeMeter
A vulnerability exists in the license-file signature checking mechanism, which may allow an attacker to build arbitrary license files including forging a valid license file as if it were a valid license file of an existing vendor. This may allow an attacker to modify data or could cause a denial-of-service condition to CodeMeter.
CVSS v3.1 Base Score: 7.4/10 [HIGH]
CVSS v3.1 Vector: AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
The packet parsing mechanism of CodeMeter does not verify its length field values causing it to access memory outside the bounds of the buffer. This may allow an attacker to execute arbitrary commands by sending a specifically crafted packet. This out of bounds memory access could also lead to relevant memory corruption causing denial-of-service conditions by crashing the CodeMeter server
CVSS v3.1 Base Score: 10.0/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-14517: Arbitrary Command Execution Due to the Inadequate Encryption Strength of CodeMeter
A vulnerability exists in the encryption scheme of CodeMeter, which allows a bypass of the protection mechanism, enabling the server to accept external connections without authentication. This may allow an attacker to remotely communicate with the CodeMeter API, access and modify application data.
CVSS v3.1 Base Score: 9.4/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)
CVE-2019-14519: Denial-of-Service Conditions Due to the Origin Validation Errors of CodeMeter
The API of the WebSocket internals of CodeMeter does not provide authentication on its WebSocket services. This may allow an attacker to cause denial-of-service conditions by sending a specifically crafted JavaScript payload allowing alteration or creation of license files.
CVSS v3.1 Base Score: 8.1/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
CVE-2020-16233: Denial-of-Service Conditions Due to the Improper Resource Release of CodeMeter
A vulnerability exists in the internal program resource management of CodeMetermanagement, which allows the disclosure of heap memory. This may allow an attacker to cause denial-of-service conditions by triggering an intentional resource leak.
CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-14513: Denial-of-Service Conditions Due to Improper Input Validation of CodeMeter
A vulnerability exists in the input validation method of CodeMeter that can affect its program control flow or data flow. This may allow an attacker to alter the control flow and cause denial-of-service conditions to CodeMeter and any product dependencies by using a specifically crafted license file.
CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-14515: Denial-of-Service Condition or Data Modification due to Improper Verification of a Cryptographic Signature in CodeMeter
A vulnerability exists in the license-file signature checking mechanism, which may allow an attacker to build arbitrary license files including forging a valid license file as if it were a valid license file of an existing vendor. This may allow an attacker to modify data or could cause a denial-of-service condition to CodeMeter.
CVSS v3.1 Base Score: 7.4/10 [HIGH]
CVSS v3.1 Vector: AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H
Risk Mitigation & User Action
UPDATE (4.0)
Customers using the affected versions of FactoryTalk Activation Manager are encouraged to update to v4.05.01. This version of FactoryTalk Activation Manager contains CodeMeter 7.10a, which addresses the vulnerabilities. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
UPDATE (3.0)
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. As of September 16, 2020, CodeMeter 7.10a is compatible with FactoryTalk Activation Manager via the Rockwell Automation Product Compatibility and Download Center (PCDC). This version of CodeMeter remediates all of the vulnerabilities noted below. Customers can update CodeMeter directly from Wibu, which is compatible with all supported versions of FTA. A bundled version of CodeMeter 7.10a and FactoryTalk Activation Manager will also release in the coming days.
Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Previous Information Contained in Versions 1.0-2.1
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk for CVE-2019-14519, and CVE-2020-14515. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
For CVE-2020-14517, CVE-2020-16233, and CVE-2020-14513, FTA v4.05 or later mitigates these vulnerabilities unless CodeMeter is running as a server. Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
Customers using the affected versions of FactoryTalk Activation Manager are encouraged to update to v4.05.01. This version of FactoryTalk Activation Manager contains CodeMeter 7.10a, which addresses the vulnerabilities. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability | Currently Installed | Suggested Actions |
| CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 CVE-2020-14519 CVE-2020-14515 | FactoryTalk Activation Manager v4.05.00 and earlier | Update to version 4.05.01 of FactoryTalk Activation Manager. Select the FactoryTalk Activation Manager download from our website. This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation. |
UPDATE (3.0)
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. As of September 16, 2020, CodeMeter 7.10a is compatible with FactoryTalk Activation Manager via the Rockwell Automation Product Compatibility and Download Center (PCDC). This version of CodeMeter remediates all of the vulnerabilities noted below. Customers can update CodeMeter directly from Wibu, which is compatible with all supported versions of FTA. A bundled version of CodeMeter 7.10a and FactoryTalk Activation Manager will also release in the coming days.
Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability | Currently Installed | Suggested Actions |
| CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 CVE-2020-14519 CVE-2020-14515 | FactoryTalk Activation Manager v4.05.00 and earlier | Update to version 7.10a of CodeMeter found on the Rockwell Automation PCDC, which is compatible with all supported versions of FTA. This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation. |
Previous Information Contained in Versions 1.0-2.1
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk for CVE-2019-14519, and CVE-2020-14515. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
For CVE-2020-14517, CVE-2020-16233, and CVE-2020-14513, FTA v4.05 or later mitigates these vulnerabilities unless CodeMeter is running as a server. Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
| Vulnerability | Currently Installed | Suggested Actions |
| CVE-2020-14519 CVE-2020-14515 | FactoryTalk Activation Manager v4.04.00 and earlier | Update to FTA v4.05 or later and employ the general security guidelines. For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center Standard Views > Software Latest Versions > FactoryTalk Activation |
| CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 | FactoryTalk Activation Manager v4.04.00 and earlier | Update to FTA v4.05 or later and employ the general security guidelines. The default configuration of FTA v4.05 limits the vulnerable port, which mitigates these vulnerabilities. However, if CodeMeter is running a server, which can be turned on via FTA, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that any traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware key switch setting, to which may be used to block unauthorized changes, etc.
- Utilize the new REST API instead of the internal WebSockets API
- Disable the WebSockets API
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN71
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
August 20, 2020
Last Updated:
August 20, 2020
CVE IDs:
CVE-2020-12027, CVE-2020-12028, CVE-2020-12029, CVE-2020-12031
Products:
FactoryTalk View SE
CVSS Scores:
7.5, 9.0, 7.3, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
2.2
Revision History
Version 2.2 - August 20, 2020 Links to additional detections
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).
Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro, Radek Domanski, and Fabius Artrel.
As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).
Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro, Radek Domanski, and Fabius Artrel.
As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk View SE all versions
Vulnerability Details
CVE-2020-12029: Code execution due to improper limitation of a pathname to a restricted directory
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).
CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284
CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270
CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283
CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.
CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).
CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284
CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270
CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283
CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.
CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk View SE are encouraged to apply the patch or deploy recommended built in security features that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).
Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055
| Vulnerability Information | Recommended User Actions |
| CVE-2020-12029 | Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx Apply patch BF25481 |
| CVE-2020-12031 | Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx Apply patch found in BF25482 |
| CVE-2020-12028 CVE-2020-12027 | This vulnerability is remediated by enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in QA46277 and QA59546 to set up IPSec and/or HTTPS, respectively. |
Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).
Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055
General Security Guidelines
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted filed.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
Low
Published Date:
August 11, 2020
Last Updated:
August 11, 2020
CVE IDs:
CVE-2020-12025
Products:
Logix Designer
CVSS Scores:
3.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.1
Revision History
Version 1.1 - August 11, 2020. Updated Recommended User Actions
Version 1.0 - July 8, 2020. Initial Version.
Version 1.0 - July 8, 2020. Initial Version.
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.
Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.
During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.
Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.
Affected Products
Logix Designer Studio 5000 versions 32.00, 32.01, and 32.02.
Vulnerability Details
CVE-2020-12025: XXE Vulnerability Could Lead to Unauthorized Information Disclosure
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.
Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.
CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.
Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.
CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290
Risk Mitigation & User Action
Customers using the affected versions of Studio 5000 Logix Designer are encouraged to update to Studio 5000 Logix Designer version v32.03.
| Vulnerability Information | Recommended User Actions |
| CVE-2020-12025 | Update to v32.03 of Logix Designer Studio 5000 Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability. |
General Security Guidelines
Social Engineering Mitigation Strategies
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.
- Do not open untrusted AML or RDF files within Studio 5000 Logix Designer.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
August 10, 2020
Last Updated:
August 10, 2020
CVE IDs:
CVE-2017-9312
Products:
Armor Compact Logix, Compact GaurdLogix 5370, CompactLogix 5370
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.3
Revision History
Version 1.3 / August 10, 2020 - Updated affected products and suggested actions.
Version 1.2 / May 18, 2020 - Updated release product and corrected product version information.
Version 1.1 / July 12, 2018 - Updated product version informtion.
Version 1.0 / June 21, 2019 - Initial Release
Version 1.2 / May 18, 2020 - Updated release product and corrected product version information.
Version 1.1 / July 12, 2018 - Updated product version informtion.
Version 1.0 / June 21, 2019 - Initial Release
Overview
A vulnerability exists in certain CompactLogix™ 5370 and Compact GuardLogix® 5370 programmable automation controllers that, if successfully exploited, may cause a Denial of Service (DoS) condition. These products are used to control processes across several industries, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation® has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.
Specific details of this vulnerability were disclosed publicly by researchers presenting at the ICS Cyber Security Conference in Singapore on April 25, 2018. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- CompactLogix 5370 L1 controllers, versions 30.014 and earlier, excluding version 28.015
- CompactLogix 5370 L2 controllers, versions 30.014 and earlier, excluding version 28.015
- CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
- Armor CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
- Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
- Armor Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
Vulnerability Details
This vulnerability may allow threat actor to intentionally send a specific TCP packet to the product and cause a Major Non-Recoverable Fault (MNRF) resulting in a Denial of Service (DoS) condition. An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation.
Alexey Perepechko of Applied Risk discovered this vulnerability in the 1769 Compact GuardLogix 5370 controllers. Rockwell Automation further investigated and discovered additional products affected by this vulnerability and they are included in this advisory.This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.
COMPACT GUARDLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a Compact GuardLogix controller, the safety task execution stops and CIP Safety I/O modules are placed into their safe state. All other I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.
COMPACTLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.
CVE-2017-9312 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (CVSS) v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Risk Mitigation & User Action
Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Note: For 1769-L33ERMOS and 1769-L36ERMOS, apply firmware for 1769-L33ERMS and 1769-L36ERMS respectively.
| Product Type | Product Family | Catalog Numbers | Suggested Actions |
| Small Controllers | CompactLogix 5370 L1 CompactLogix 5370 L2 CompactLogix 5370 L3 Armor CompactLogix 5370 L3 | 1769-L16ER-BB1B 1769-L18ER-BB1B 1769-L18ERM-BB1B 1769-L19ER-BB1B 1769-L24ER-QB1B 1769-L24ER-QBFC1B 1769-L27ER-QBFC1B 1769-L30ER 1769-L30ER-NSE 1769-L30ERM 1769-L33ER 1769-L33ERM 1769-L36ERM 1769-L37ERMO | Apply FRN 28.015 or apply 31.011 or later. |
| Safety Controllers | Compact GuardLogix 5370 Armor Compact GuardLogix 5370 L3 | 1769-L30ERMS 1769-L33ERMS 1769-L36ERMS 1769-L37ERMS 1769-L38ERMS 1769-L33ERMOS 1769-L36ERMOS | Apply FRN 28.015 or apply 31.011 or later. |
Note: For 1769-L33ERMOS and 1769-L36ERMOS, apply firmware for 1769-L33ERMS and 1769-L36ERMS respectively.
General Security Guidelines
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
Attachments
Critical
Published Date:
July 30, 2020
Last Updated:
July 30, 2020
CVE IDs:
CVE-2020-14516
Products:
FactoryTalk Services Platform
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 30, 2020. Initial Release.
Executive Summary
A vulnerability exists in FactoryTalk® Services Platform that prevents user passwords from being hashed properly. This vulnerability, if successfully exploited, may allow attackers to access and modify configuration and application data. This vulnerability only impacts native FactoryTalk Security users, not Windows® linked users.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Services Platform, versions 6.10.00 and 6.11.00.
Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see Knowledgebase QA5266 for additional details.
Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see Knowledgebase QA5266 for additional details.
Vulnerability Details
CVE-2020-14516: Improper Implementation of Hashing Algorithm for User Passwords
There is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform 6.10 and 6.11 that prevents the user password from being hashed properly. A successful exploit could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console and this new user would allow the attacker to modify or delete configuration and application data in other FactoryTalk software connected to FactoryTalk Services Platform.
CVSS v3.0 Base Score: 10.0/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Suggested Actions |
| FactoryTalk Services Platform | Follow the guidance provided in Knowledgebase Article ID: BF10207 in order to patch (link). |
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Ensure that the least-privileged user principle is followed, and the user/service account access to shared resources (such as a database) is only granted with the minimum number of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
June 25, 2020
Last Updated:
June 25, 2020
CVE IDs:
CVE-2020-14480, CVE-2020-14481
Products:
FactoryTalk View SE
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 25, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from Ilya Karpov and Evgeny Druzhinin who are part of the independent research team, ScadaX Security. They reported two vulnerabilities in FactoryTalk® View Site Edition (SE) software, which if successfully exploited, may result in the disclosure of Windows® Logon credentials (via the DeskLock software) or FactoryTalk View SE user credentials.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
CVE-2020-14480: FactoryTalk View SE versions 9.0 and earlier.
CVE-2020-14481: FactoryTalk View SE version 10.0.
CVE-2020-14481: FactoryTalk View SE version 10.0.
Vulnerability Details
CVE-2020-14480: Cleartext Storage of Sensitive Information in Memory
A local, authenticated attacker may have access to certain credentials, including Windows Logon credentials, as a result of usernames/passwords being stored in plaintext in Random Access Memory (RAM).
CVSS v3.1 Base Score: 8.8/HIGH
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE-2020-14481: Use of a Weak Algorithm for Password Protection
The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.
CVSS v3.1 Base Score: 8.8/HIGH
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected versions of DeskLock provided with FactoryTalk View SE are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Catalog Numbers | CVE # | Suggested Actions |
| FactoryTalk View SE | 9701-VWSx | CVE-2020-14480 | Download v10.0 or later. |
| FactoryTalk View SE | 9701-VWSx | CVE-2020-14481 | Download v11.0 or later. |
General Security Guidelines
GENERAL SECURITY GUIDELINES
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index.
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- https://www.us-cert.gov/ics/advisories/icsa-20-177-03
High
Published Date:
June 25, 2020
Last Updated:
June 25, 2020
CVE IDs:
CVE-2020-14478
Products:
FactoryTalk Services Platform
CVSS Scores:
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 25, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from researchers at Applied Risk regarding a vulnerability in versions of FactoryTalk® Services Platform which if successfully exploited, could lead to a denial-of-service (DoS) condition and to the arbitrary reading of any local file via system-level services.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Services Platform, versions 6.11.00 and earlier.
Nearly all FactoryTalk® software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see QA5266 for additional details.
Nearly all FactoryTalk® software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see QA5266 for additional details.
Vulnerability Details
CVE-2020-14478: Weakly Configured XML Parser
A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML parser to access local or remote content. A successful exploit could potentially cause a denial-of-service (DoS) condition and allow the attacker to arbitrarily read any local file via system-level services. The details of this file could then be forwarded to the attacker.
CVSS v3.0 Base Score: 8.4/HIGH
CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H.
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Suggested Actions |
| FactoryTalk Services Platform | Download patch for 6.11 (Download) |
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329 .
- Ensure that the least-privileged user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index..
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
CVE IDs:
CVE-2020-11999, CVE-2020-12005, CVE-2020-12003, CVE-2020-12001
Products:
FactoryTalk Linx Gateway
CVSS Scores:
7.5, 9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 11, 2020. Initial Release.
Version 1.0 - June 11, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities due to exposed system internals’ in FactoryTalk® Linxvsoftware. These vulnerabilities, if successfully exploited, may result in arbitrary code execution, information exposure, or denial-of-service conditions.
Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.
Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.
Affected Products
- FactoryTalk Linx software versions 6.00, 6.10, and 6.11
- Connected Components Workbench™ software v12 and earlier
- ControlFLASH Plus™ software v1 and later
- ControlFLASH™ software v14 and later
- FactoryTalk Asset Centre software v9 and later
- FactoryTalk Linx CommDTM software v1 and later
- Studio 5000® Launcher software v31 and later
- Studio 5000 Logix Designer® software v32 and earlier
Vulnerability Details
CVE-2020-11999: Arbitrary code execution due to API abuse
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| CVE | Products Affected | Mitigation |
| CVE-2020-11999 CVE-2020-12001 CVE-2020-12003 CVE-2020-12005 |
| Customers are encouraged to apply these patches by following instructions in Knowledgebase articles below:
|
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
- Block all traffic to EtherNet/IP™ devices or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.
General Mitigations
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
Critical
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
CVE IDs:
CVE-2020-12001
Products:
FactoryTalk Linx Gateway
CVSS Scores:
9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 18, 2020. Initial Release.
Version 1.0 - June 18, 2020. Initial Release.
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.
Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.
Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
- FactoryTalk® Linx software (previously called RSLinx® Enterprise) versions 6.00, 6.10, and 6.11
- Connected Components Workbench v12 and earlier
- ControlFLASH™ Plus v1 and later
- ControlFLASH™ v14 and later
- FactoryTalk® Asset Centre v9 and later
- FactoryTalk® Linx CommDTM v1 and later
- Studio 5000® Launcher v31 and later
- Studio 5000 Logix Designer® v32 and earlier
Vulnerability Details
CVE-2020-12001: Arbitrary code execution due to directory traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298
Risk Mitigation & User Action
Customers using the affected products are encouraged to apply the patch that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability Information | Recommended User Actions |
| CVE-2020-12001 | Customers are encouraged to apply these patches by following instructions in Rockwell Automation Knowledgebase articles below:
|
General Security Guidelines
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted files.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
June 18, 2020
Last Updated:
June 18, 2020
CVE IDs:
CVE-2020-12033
Products:
FactoryTalk Services Platform
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 18, 2020. Initial Version
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, Rockwell Automation was made aware of a service, which can instantiate a COM object on the affected machine.
Special thanks to researchers at Claroty for submitting this vulnerability through the Pwn2Own competition.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Services Platform - All versions
Vulnerability Details
CVE-2020-12033: Arbitrary COM object instantiation due to lack of data validation
FactoryTalk Services Platform redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges.
CVSS v3.1 Base Score: 7.5/HIGH
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10299
Risk Mitigation & User Action
Customers are encouraged to use Rockwell Automation Knowledgebase article QA5266 to determine if FactoryTalk Services Platform is installed. Those using the affected software are directed towards risk mitigation by enabling built-in security features found within FactoryTalk Services platform. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index technote to stay notified.
| Vulnerability Information | Recommended User Actions |
| CVE-2020-12033 | This vulnerability is mitigated by implementing a secure communication strategy following the guidance outlined in Rockwell Automation Knowledge article QA46277. |
General Security Guidelines
Software/PC-based Mitigation Strategies
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted filed.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
June 08, 2020
Last Updated:
June 08, 2020
CVE IDs:
CVE-2019-13527, CVE-2019-13510, CVE-2019-13519, CVE-2019-13511, CVE-2019-13521
Products:
Arena
CVSS Scores:
7.8, 8.6, 3.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - August, 1 2019. Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - September 19, 2019. Updated Vulnerability Reports.
Revision History
Revision Number
1.2
Revision History
Version 1.2 - June 8, 2020. Updated Vulnerability Reports.
Executive Summary
The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported multiple potential vulnerabilities in Arena Simulation software. These vulnerabilities, if successfully exploited, may allow a remote, unauthenticated attacker to cause denial of service conditions or execute arbitrary code on a system after using previously freed memory.
Successful exploitation of these vulnerabilities relies on a social engineering attack.
Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.
Successful exploitation of these vulnerabilities relies on a social engineering attack.
Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.
Affected Products
Arena® Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier.
Vulnerability Details
CVE-2019-13510: Denial-of-service file parsing use-after-free potential remote code execution vulnerabilities
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.
CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
| CVE ID | ZDI Report ID |
| CVE-2019-13510 | ZDI-CAN-8012 ZDI-CAN-8013 ZDI-CAN-8015 ZDI-CAN-8016 ZDI-CAN-8017 ZDI-CAN-8060 ZDI-CAN-8062 ZDI-CAN-8096 ZDI-CAN-8174 ZDI-CAN-8600 ZDI-CAN-8623 ZDI-CAN-8624 ZDI-CAN-8683 ZDI-CAN-10129 ZDI-CAN-10186 ZDI-CAN-10373 ZDI-CAN-10374 ZDI-CAN-10470 ZDI-CAN-10554 ZDI-CAN-10555 ZDI-CAN-10556 ZDI-CAN-10557 ZDI-CAN-10559 |
CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.
CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
| CVE ID | ZDI Report ID |
| CVE-2019-13511 | ZDI-CAN-8014 |
CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
| CVE ID | ZDI Report ID |
| CVE-2019-13519 | ZDI-CAN-8175 |
CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| CVE ID | ZDI Report ID |
| CVE-2019-13521 | ZDI-CAN-8134 |
CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.
CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
| CVE ID | ZDI Report ID |
| CVE-2019-13527 | ZDI-CAN-8682 |
Risk Mitigation & User Action
Customers using the affected versions of Arena® are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.
-
Customers using Arena® v16.00.00 are encouraged to implement patch v16.00.01 to address these vulnerabilities (Download).
- Do not open untrusted .doe files with Arena® Simulation Software.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
General Security Guidelines
High
Published Date:
May 19, 2020
Last Updated:
May 19, 2020
CVE IDs:
CVE-2020-12038, CVE-2020-12034
Products:
Software, Logix Designer, RSNetWorx, FactoryTalk Linx Gateway, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
8.2, 6.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 19, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities in the parsing and storing of Electronic Datasheet (EDS) files in Rockwell Automation® software products. These vulnerabilities, if successfully exploited, may result in code injection and denial-of-service conditions
EDS files are text files that allow product-specific information to be made available to third-party vendors by Rockwell Automation. These files define a device's configurable parameters and the public interfaces to those parameters for identification and commissioning.
Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.
Affected Products
- FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
- RSLinx® Classic v4.11.00 and earlier
- RSNetWorx™ software v28.00.00 and earlier
- Studio 5000 Logix Designer® software v32 and earlier
Vulnerability Details
CVE-2020-12034: SQL injection due to improper input sanitization
The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system. This affects the EDS subsystem v27 and earlier.
CVSS v3.1 Base Score: 8.2/10[HIGH]
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
CVE-2020-12038: Denial-of-service conditions due to memory corruption in parsing/storage of EDS files
A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object leading to denial-of-service (DoS) conditions. This affects the EDS subsystem v27 and earlier.
CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| CVE | Products Affected | Mitigation |
| CVE-2020-12034 CVE-2020-12038 |
| Apply patch by following the instructions in knowledgebase article RAid 1125928. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Block all traffic to EtherNet/IP™ or other CIP™protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Port#s 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
General Mitigations
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
Additional Links
High
Published Date:
May 12, 2020
Last Updated:
May 12, 2020
CVE IDs:
CVE-2020-10608, CVE-2020-10606, CVE-2020-10645, CVE-2020-10600, CVE-2020-10610
Products:
FactoryTalk VantagePoint, FactoryTalk View SE, FactoryTalk Historian SE, PlantPAx, ThingWorx Connection Server
CVSS Scores:
7.8, 8.0, 5.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
2.0
Revision History
Version 2.0 - October, 13, 2020. Updated risk mitigations and recommended user actions.
Version 1.0 - May 12, 2020. Initial Release.
Version 1.0 - May 12, 2020. Initial Release.
Executive Summary
OSIsoft reported five vulnerabilities in PI System, a real-time data collection and visualization software, to Rockwell Automation. PI System software is used in multiple Rockwell Automation® software products. These vulnerabilities if successfully exploited, may result in privilege escalation, information disclosure or a denial-of-service condition.
Not every PI System vulnerability applies to each impacted product. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding PI System vulnerability.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
| Product | CVE-2020-10610 | CVE-2020-10608 | CVE-2020-10606 | CVE-2020-10600 | CVE-2020-10645 |
| FactoryTalk® View SE software version 11.00.00 and earlier | X | X | X | ||
| FactoryTalk® VantagePoint® software version 8.10.00 and earlier | X | X | X | ||
| FactoryTalk Historian - ThingWorx Connector software version 3.00.00 | X | X | X | ||
| FactoryTalk Historian SE software version 6.00.00 and earlier | X | X | X | X | |
| PlantPAx® DCS software (including Virtual Templates) version 4.60.00 and earlier | X | X | X | ||
| FactoryTalk ProcessBook software version 3.60.00 and earlier | X | X | X | X | |
| FactoryTalk Datalink software version 5.30.00 and earlier | X | X | X | ||
| FactoryTalk Historian SE to Historian SE (SE2SE) Interface software version 3.08.07 and earlier | X | X | X | ||
| FactoryTalk Historian SE Interface for Universal File Loader software version 3.01.02 and earlier | X | X | X | ||
| FactoryTalk Historian SE Interface for ODBC (RDBMS) software version 3.20.06 and earlier | X | X | X | ||
| FactoryTalk Historian Batch Interface software version 1.00.20 and earlier | X | X | X | ||
| FactoryTalk Historian Event Frames Generator (PE EFGen) software version 4.00.25 and earlier | X | X | X | ||
| FactoryTalk Historian SE Advance Server software version 6.00.00 and earlier | X | X | X | ||
| FactoryTalk Historian SE third-party OLEDB Connectivity software version 4.00.00 and earlier | X | X | X | ||
| FactoryTalk Historian SE third-party OPC Connectivity software version 4.00.00 and earlier | X | X | X |
Vulnerability Details
OSISoft provided the vulnerability details in their security advisory.
CVE-2020-10610: Local Privilege Escalation via Uncontrolled Search Path Element
A local attacker can modify a search path and plant a binary to exploit the affected PI System software and take control of the local computer at system level privileges, resulting in unauthorized information disclosure, deletion or modification.
CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.c
CVE-2020-10608: Local Privilege Escalation via Improper Verification of Cryptographic Signature
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. Exploitation can target another local user of the software to escalate privilege, resulting in unauthorized information disclosure, deletion or modification.
CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
CVE-2020-10606: Local Privilege Escalation via Incorrect Default Permissions
A local attacker can exploit incorrect permissions set by affected PI System software. Exploitation can result in unauthorized disclosure, deletion, or modification if the local computer also processes PI System data from other users such as a shared workstation or terminal server deployment.
CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
CVE-2020-10600: Null Pointer Dereference may cause Denial-conditions
A remote, authenticated attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive and may cause denial-of-service conditions.
CVSS v3 Base Score: 5.9/10 (MEDIUM)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H.
CVE-2020-10645: Use of Out-of-range Pointer Offset may lead to Remote Code Execution
A remote, authenticated attacker could embed malicious content in the display file of the impacted software product. When opened by an affected version, the attacker could read, write and execute code on the computer with the impacted software in the context of the current user.
CVSS v3 Base Score: 8.0/10 (HIGH)*
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
* Note: OSIsoft calculated the Temporal CVSS metrics for this vulnerability, which brings the score to a 6.4/10 (MEDIUM)
Risk Mitigation & User Action
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates and user guidance as these fixes become available. Please subscribe to security updates to this advisory and the Industrial Security Index (Knowledgebase PN1354) to stay notified.
Customers currently using any of the affected software are encouraged to take the following actions:
v2.0 - Update:
| Product | CVE Identifiers | Suggested Action |
| FactoryTalk® View SE software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v12.00.00 or later. |
| FactoryTalk Historian SE | CVE-2020-10600 CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
| PlantPAx® DCS software (including Virtual Templates) | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v5.00 or later. |
| FactoryTalk ProcessBook software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 CVE-2020-10645 | Download v3.70.01 or later. |
| FactoryTalk Datalink software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v5.50.02 or later. |
| FactoryTalk Historian SE Interface for Universal File Loader software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v3.60.07 or later. |
| FactoryTalk Historian SE Interface for ODBC (RDBMS) software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v3.24.05 or later. |
| FactoryTalk Historian Event Frames Generator (PE EFGen) software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v4.00.40 or later. |
| FactoryTalk Historian SE Advance Server software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
| FactoryTalk Historian SE third-party OLEDB Connectivity software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
| FactoryTalk Historian SE third-party OPC Connectivity software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
v1.0 - Initial Release:
Customers currently using any of the affected software that is not listed in the table above are encouraged to take the following actions:
| Vulnerability Identifier | Suggested Actions |
| CVE-2020-10610 |
|
| CVE-2020-10608 |
|
| CVE-2020-10606 |
|
| CVE-2020-10600 |
|
| CVE-2020-10645 |
|
General Security Guidelines
- Run all software as user, not as an administrator, to minimize the impact of malicious code on the infected system.
- (CVE-2020-10610 & CVE-2020-10608) Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
Additional Links
Critical
Published Date:
April 23, 2020
Last Updated:
April 23, 2020
CVE IDs:
CVE-2017-12819, CVE-2019-8282, CVE-2017-11497, CVE-2017-11496, CVE-2017-12818, CVE-2017-11498, CVE-2017-12821, CVE-2017-12822, CVE-2019-8283, CVE-2017-12820
Products:
FactoryTalk Activation
CVSS Scores:
7.5, 9.9, 9.8, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 / April 23, 2020 - Initial Release
Executive Summary
Kaspersky, a cybersecurity company, alerted Rockwell Automation of ten vulnerabilities in the hasplms service that is part of Gemalto’s HASP SRM, Sentinel HASP, and Sentinel LDK products. FactoryTalk® Activation provides the user a way to install the Sentinal LDK Runtime Environment. The Sentinal LDK Runtime Environment allows the installation of the necessary drivers to use Flexera dongles. Customers who are not using Flexera dongles to store activations would not be impacted by these vulnerabilitites.
These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Activation Manager v4.03.11 and below
- Includes Sentinal LDK Runtime Environment v7.50
Vulnerability Details
CVE-2017-12822: Remote Code Execution (RCE) via Admin Interface
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.
CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.
CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.
CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.
CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk Activation are encouraged to update to FactoryTalk Activation version 4.04.00 or greater. This version addresses the associated risk and uses a version of Sentinel LDK Runtime Environment with no known vulnerabilities associated with it at time of publication.
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, refer to Knowledgebase Article ID 898270.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
April 09, 2020
Last Updated:
April 09, 2020
CVE IDs:
CVE-2017-5176
Products:
Current Program Updater v1.1.0.7
CVSS Scores:
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 09, 2020. Initial Release.
Executive Summary
Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, regarding a file permission vulnerability affecting several Dynamic Link Library (DLL) files added during installation of the Current Program Updater software. If successfully exploited, this vulnerability may allow a local attacker to escalate privileges on the targeted PC to gain system administrative control.
Current Program Updater is installed with the Product Selection Toolbox™ suite along with other toolkits. For a full list, please see the affected products below.
Affected Products
Current Program Updater v1.1.0.7 and earlier.
The following tools use the affected version of Current Program Updater:
- Batch Accelerator Toolkit v1.0.0.0
- CENTERLINE® 2500 Global Production v1.0.4.0 and earlier
- CENTERLINE Builder v3.19.0829.02
- Computer Numerical Control (CNC) Accelerator Toolkit v0.0.0.0
- Connected Components Accelerator Tool Kit v1.1.0.0 to v3.4.0.0
- Connected Components Workbench™ software (CCW) v11 and earlier
- Drives & Motions Accelerator Toolkit v1.0.0.0
- Energy Management Accelerator Toolkit v3.0.0.0 and earlier
- PowerOne v1.51.55 and earlier
- Product Selection Toolbox Suite:
- CrossWorks™ v4.3.0.11 and earlier
- Integrated Architecture® Builder v9.7.9.1 and earlier
- MCSStar v5.1.0.7
- ProposalWorks™ v10.0.7185.14602 and earlier
- Product Selection Toolbox Installer v.18.09.x and earlier
- Prosafe® Builder v1.1.0.0 and earlier
- Safety Automation Builder® v3.1.0.2 and earlier
- User-Defined Devices v1.6.0.12 and earlier
- Safety Accelerator Toolkit v6.0.0.0 and earlier
- Water Wastewater Accelerator Toolkit v3 and earlier
Vulnerability Details
CVE-2017-5176: File Permission Vulnerability Leading to Privilege Escalation
A local, authenticated attacker could write to several directories containing Dynamic Load Library (DLL) files that execute with system level privilege. These DLL files inherit the properties of these directories, meaning DLL files that run at the system level can be written to by a normal user and lead to an escalation of privileges. Certain registry keys were also found to be writeable to normal users.
A CVSS v3 base score of 7.0/High has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers currently using any of the affected tools are encouraged to take the following actions:
- Existing customers using affected versions of the tools should update to the newest version of the tools. Existing users can do this by running an update in Current Program Updater. New users can do this by accepting and running the Current Program Updater update offered immediately during installation. After the tool runs, it will apply the most recent version of Current Program Updater as well as the most recent version of the tools currently installed. Fixed versions of toolkits will no longer allow the toolkits to make changes to the access controls of files and registry keys.
- Work with your IT administrators to ensure that the following files and registry keys have the correct access control permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed.
| Toolkit | Impacted Registry Keys or Files |
| All Tools | C:WindowsSysWOW64raise.dll C:WindowsSysWOW64SSPodt.exe HKEY_CLASSES_ROOTRAISE |
| Batch Accelerator Toolkit | HKEY_CLASSES_ROOTRAISEInstalled ComponentsBatch |
| CENTERLINE 2500 Global Product Configuration Builder | HKEY_CLASSES_ROOTRAISEInstalled ComponentsInstalled ComponentsEST_Adv |
| CENTERLINE Builder | HKEY_CLASSES_ROOTRAISEInstalled ComponentsCENTERLINEBuilder |
| CNC Accelerator Toolkit | HKEY_CLASSES_ROOTRAISEInstalled ComponentsCMAT |
| Connected Components Accelerator Tool Kit | HKEY_CLASSES_ROOTRAISEInstalled ComponentsCCAT |
| Current Program Updater | HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared |
| Drives and Motion Accelerator Toolkit | HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_DMAT |
| Energy Management Accelerator Toolkit | HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_EMAT |
| Product Selection Toolbox Suite | HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared |
| &Safety Accelerator Toolkit | HKEY_CLASSES_ROOTRAISEInstalledComponentsSimp_SafetyGuardLogix |
| Water Wastewater Accelerator Toolkit | HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_WWWAT |
- If a toolkit has been installed to a custom directory, customers are encouraged to identify what other directories may have had the access level privileges modified by the toolkits and work with their IT administrator to ensure the directories have the correct level of permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed. To identify these directories, customers can review the list at the following registry key:
HKEY_CLASSES_ROOTRAISEInstalled Components
The following toolkits are considered End of Life (EOL):
| Product Family | Suggested Actions |
| Connected Components Accelerator Tool Kit Drives & Motions Accelerator CNC Accelerator Toolkit Safety Accelerator Toolkit Energy Management Accelerator Toolkit Water Wastewater Accelerator Toolkit | Customers are encouraged to discontinue use of these toolkits and uninstall if possible and follow the remediation steps outlined above. |
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLockeror other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
April 09, 2020
Last Updated:
April 09, 2020
CVE IDs:
CVE-2020-10642
Products:
RSLinx Classic (Single Node
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 09, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from the researcher William Knowles at Applied Risk regarding a vulnerability in RSLinx® Classic software, which if successfully exploited, could allow an authenticated attacker to gain elevated or SYSTEM level privileges.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
RSLinx versions 4.11.00 and earlier.
Vulnerability Details
CVE-2020-10642: Privilege Escalation via Weak Registry Key Permissions
An authenticated, local attacker could modify the registry key, which could lead to the execution of malicious code when RSLinx Classic was opened. The code would run under the same system privileges as RSLinx and therefore, could be used for privilege escalation.
CVSS v3.0 Base Score: 8.8/HIGH
CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected versions of RSLinx Classic are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Suggested Actions |
| RSLinx Classic | Apply Patch 1091155 (Download). The patch can be applied to v3.60 to v4.11, but customers are encouraged to apply the most recent version of RSLinx Classic. |
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
ADDITIONAL LINKS
Critical
Published Date:
April 07, 2020
Last Updated:
April 07, 2020
CVE IDs:
CVE-2018-0228, CVE-2018-0296, CVE-2018-0227, CVE-2018-0231, CVE-2018-0240
Products:
Stratix 5950 Security Appliance
CVSS Scores:
7.5, 10.0, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 21, 2018. Initial Release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 07, 2020. Updates to mitigations and other languages.
Introduction
Stratix 5950 Client Certificate Bypass and Denial of Service Vulnerabilities
Description
Executive Summary
Cisco Systems, Inc. (“Cisco”) has released advisories detailing multiple vulnerabilities in Cisco Adaptive Security Appliance (“ASA”) Software that, if successfully exploited, could potentially allow a threat actor to bypass client certification to create connections to the affected device, cause an affected device to crash, or allow a threat actor to view potentially sensitive data on a device. The Allen-Bradley® Stratix® 5950 uses Cisco ASA software as its central operating system; this enables the security device to offer capabilities that include providing proactive threat defense for industrial control systems.
Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.
Affected Products
Allen-Bradley® Stratix® 5950 Security Appliance
(Cisco Adaptive Security Appliance v9.6.2 and earlier)
- 1783-SAD4T0SBK9
- 1783-SAD4T0SPK9
- 1783-SAD2T2SBK9
- 1783-SAD2T2SPK9
Vulnerability Details
Vulnerability #1: Flow Creation Denial of Service Vulnerability
A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100 percent utilization, causing a denial of service (DoS) condition on an affected system.
The vulnerability is due to incorrect handling of an internal software lock that could prevent other system processes from getting CPU cycles, causing a high CPU condition. A threat actor could exploit this vulnerability by sending a steady stream of malicious IP packets that can cause connections to be created on the targeted device. A successful exploit could allow the threat actor to exhaust CPU resources, resulting in a DoS condition during which traffic through the device could be delayed. This vulnerability applies to either IPv4 or IPv6 ingress traffic either to or across an affected device.
CVE-2018-0228 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerability
A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to establish an SSL VPN connection and bypass certain SSL certificate verification steps.
The vulnerability is due to incorrect verification of the SSL Client Certificate. A threat actor could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the threat actor to establish an SSL VPN connection to the ASA when the connection should have been rejected.
CVE-2018-0227 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Vulnerability #3: Transport Layer Security Denial of Service Vulnerability
A vulnerability in the Transport Layer Security (TLS) library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of the affected device resulting in a denial of service (DoS) condition.
The vulnerability is due to insufficient validation of user-supplied input. A threat actor could exploit this vulnerability by sending a malicious TLS message to an interface enabled for Secure Layer Socket (SSL) services on an affected device. Messages using SSL Version 3 (SSLv3) or SSL Version 2 (SSLv2) cannot be be used to exploit this vulnerability. An exploit could allow the threat actor to cause a buffer underflow, triggering a crash on an affected device.
CVE-2018-0231 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #4 Application Layer Protocol Inspection Denial of Service Vulnerabilities
Multiple vulnerabilities in the Application Layer Protocol Inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.
The vulnerabilities are due to logical errors during traffic inspection. A threat actor could exploit these vulnerabilities by sending a high volume of malicious traffic across an affected device. An exploit could allow the threat actor to cause a deadlock condition, resulting in a reload of an affected device.
CVE-2018-0240 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #5: Web Services Denial of Service or Potential Sensitive Information Disclosure
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but a threat actor could view sensitive system information without authentication by using directory traversal techniques.
The vulnerability is due to lack of proper input validation of the HTTP URL. A threat actor could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the threat actor to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.
CVE-2018-0296 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H.
Risk Mitigation & User Action
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.
Update the Stratix 5950 per the table below:
| Vulnerability | Suggested Actions |
| #1: Flow Creation Denial of Service Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerablity #3: Transport Layer Security Denial of Service Vulnerability #4: Application Layer Protocol Inspection Denial of Service Vulnerabilities #5 Web Services Denial of Service or Potential Sensitive Information Disclosure | Apply FRN v6.4.0 (Download) |
Secondary Mitigations include the following:
- #1: Flow Creation Denial of Service Vulnerability: The ASA and FTD configuration commands, set connection per-client-embryonic-max (TCP) and set connection per-client-max (TCP, UDP, and Stream Control Transmission Protocol {SCTP}), can be configured to limit the number of connection requests allowed. Using these configuration parameters can reduce the number of connections and greatly reduce the impact of the DoS attack.
- #5 Web Services Denial of Service or Potential Sensitive Information Disclosure: Cisco has released Snort Rule 46897.
General Security Guidelines
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security)
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT] ICSA-18-184-01 Advisory by ICS-CERT for Rockwell Automation Allen-Bradley Stratix 5950
- [Cisco Systems Inc.] Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability
- [Cisco Systems Inc.] Cisco Adaptive Security Appliance VPN SSL Client Certificate Bypass Vulnerability
- [Cisco Systems Inc.] Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability
- [Cisco Systems Inc.] Cisco Adaptive Security Appliance Application Layer Protocol Inspection Denial of Service Vulnerability
- [Cisco Systems Inc.] Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability
Attachments
High
Published Date:
April 07, 2020
Last Updated:
April 07, 2020
CVE IDs:
CVE-2018-0472
Products:
Stratix 5950 Security Appliance
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 04, 2019. Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 7, 2020. Updates to mitigations.
Introduction
Stratix 5950 Denial of Service Vulnerability
Description
Executive Summary
Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. One of these vulnerabilities affects the following Allen-Bradley Stratix® product:
- Allen-Bradley Stratix 5950 Security Appliance
Affected Products
Allen-Bradley Stratix 5950 Security Appliance
- 1783-SAD4T0SBK9
- 1783-SAD4T0SPK9
- 1783-SAD2T2SBK9
- 1783-SAD2T2SPK9
Vulnerability Details
Cisco Adaptive Security Appliance (ASA) IPsec Denial of Service
A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the device to reload.
The vulnerability is due to improper processing of malformed IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by sending malformed IPsec packets to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.
NOTE: IPsec is disabled by default in the Allen-Bradley Stratix 5950 devices.
The security disclosure from Cisco for their IOS XE and Cisco ASA 5500-x Series is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec.
CVE-2018-0472 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Risk Mitigation & User Action
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.
Update the affected products per the table below:
| Product | Suggested Actions |
| Stratix 5950 Security Appliance
| Apply FRN v6.4.0 (Download) |
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
- Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
Medium
Published Date:
March 10, 2020
Last Updated:
March 10, 2020
CVE IDs:
CVE-2019-1649
Products:
__productNames
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
Revision 1.0
Revision History
March 10, 2020. Initial Release.
Executive Summary
Cisco Systems, Inc. (Cisco) released an advisory regarding a vulnerability in the logic that handles access control to a hardware component in Cisco’s proprietary Secure Boot implementation. If successfully exploited, an attacker could write a modified firmware image to the component. The Allen-Bradley® Stratix® 5950 utilizes Cisco’s proprietary Secure Boot implementation.
Customers using affected versions of this product are encouraged to evaluate the mitigations provided below and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.
Affected Products
Allen-Bradley Stratix 5950 Security Appliance:
- 1783-SAD4T0SBK9
- 1783-SAD4T0SPK9
- 1783-SAD2T2SBK9
- 1783-SAD2T2SPK9
Vulnerability Details
CVE-2019-1649: Cisco Secure Boot Hardware Tampering
A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write their own modified firmware image to the affected component.
The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system running on the affected device could utilize this vulnerability to write a modified firmware image to the FPGA. A successful exploit could cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.
The security disclosure from Cisco regarding their Secure Boot implementation is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot.
CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.
Update the affected products per the table below:
| Vulnerability | Product | Suggested Actions |
| CVE-2019-1649 | Stratix 5950 Security Appliance
| Apply FRN v6.4.0 (Download) |
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
- Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
Additional Links
Critical
Published Date:
March 05, 2020
Last Updated:
March 05, 2020
CVE IDs:
CVE-2020-6980, CVE-2020-6990, CVE-2020-6988, CVE-2020-6984
Products:
RSLogix 500
CVSS Scores:
4.0, 5.9, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
Version 1.0
Revision History
March 05, 2020 - Intitial release.
Executive Summary
A subset of MicroLogix™ controllers and RSLogix 500® software contain multiple vulnerabilities that could allow an attacker to gain access to sensitive project file information including passwords. Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies submitted reports to Rockwell Automation regarding several vulnerabilities found in the Allen-Bradley® MicroLogix controllers and RSLogix 500 software. A subset of these vulnerabilities was also independently co-discovered and reported by Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab.
Customers using affected versions of these products are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
MicroLogix 1400 Controllers
Series B, v21.001 and earlier
Series A, all versions
MicroLogix 1100 Controllers
All versions
RSLogix 500® Software
V12.001 and earlier
Vulnerability Details
CVE-2020-6990: Use of Hard-Coded Cryptographic Key
The cryptographic key utilized to help protect the account password is hard-coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.
CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
CVE-2020-6984: Use of a Broken or Risky Algorithm for Password Protection
The cryptographic function utilized to protect the password in MicroLogix is discoverable. This password protects access to the device. If successfully exploited a remote attacker could gain unauthorized access to the controller.
CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-6988: Use of Client-Side Authentication
A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller, and the controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.
CVSS v3.1 Base Score: 5.9/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
CVE-2020-6980: Unsecured SMTP Data Storage
If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project file or the controller, may be able to gather SMTP server authentication data as it is written to the project file in cleartext.
CVSS v3.1 Base Score: 4.0/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Acknowledgements:
| CVE# | Discovery Attribution |
| CVE-2020-6990 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. |
| CVE-2020-6984 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab. |
| CVE-2020-6988 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab. |
| CVE-2020-6980 | Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. |
Risk Mitigation & User Action
Customers are encouraged to assess their level of risk regarding their specific applications and update to the latest available firmware or software version that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.
Note: Customers using affected versions of MicroLogix 1400 or MicroLogix 1100 are urged to contact their local distributor or sales office to upgrade their devices to MicroLogix 1400 Series B or a newer product line.
| Product | Catalog Numbers | Suggested actions for CVE-2020-6990, CVE-2020-6984, and CVE-2020-6988 | Suggested actions for CVE-2020-6980 |
| MicroLogix 1400 controllers, Series B | 1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA | Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download). Use the Enhanced Password Security feature. | Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download). Use the Enhanced Password Security feature. |
| MicroLogix 1400 controllers, Series A | 1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA | No direct mitigation. | No direct mitigagion. |
| MicroLogix 1100 controllers. | 1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD | No direct mitigation. | No direct mitigation. |
| RSLogix 500® software | R324-RL0x | Apply version V11 or later (Download), used in conjunction with applied FRN 21.002 or later for MicroLogix 1400 Series B devices. Use the Enhanced Password Security feature. Other configurations, no direct mitigation. | No direct mitigation. |
General Security Guidelines
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of the Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
Additional Links:
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1756-L72, L73, L74, L75 , 1789 SoftLogi PC
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)
Description
Rockwell Automation recognizes the importance of information and control system security to our customers. We are committed to working with government agencies and standards development organizations to develop solutions targeted to help our customers improve their overall system security strategy.
As part of this effort, the Idaho National Laboratory (INL) Control Systems Security Program, under contract to the Department of Homeland Security (DHS), identified a potential security concern within the firmware upgrade process used in control systems deployed in Critical Infrastructure and Key Resources (CIKR). DHS has confirmed that the firmware upgrade process can be intentionally manipulated in a manner that has potential to render the device inoperable and cause a disruption to the process and/or system operation.
Rockwell Automation has been working in partnership with DHS to identify potential short-term and long-term mitigation strategies.
As a result, Rockwell Automation is implementing a policy to digitally sign most firmware images and require contemporary devices to validate this signature before applying a firmware upgrade. Over time, many contemporary Rockwell Automation products will include this signature validation mechanism to help ensure firmware integrity and authenticity.
The following Rockwell Automation products currently authenticate firmware using digital signatures:
- ControlLogix 1756-L72, L73, L74, L75 Programmable Automation Controllers
- Virtual firmware of the 1789 SoftLogix PC based controllers
For other devices, to help reduce the likelihood of the upgrade process being exploited and help reduce associated security risk, Rockwell Automation and DHS recommend the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):
- Disable where possible the capability to perform remote firmware upgrades over a network to a controller by placing the controller key switch into RUN mode. This prevents the Allen-Bradley brand controllers from accepting firmware upgrades.
- Restrict physical and electronic access to automation networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
- Restrict firmware upgrades to the local ControlNetwork or direct (point-to-point) physical methods only by physically or electronically isolating target devices from any larger system while performing a firmware upgrade.
- Temporarily remove unnecessary network connections to the device before administering a firmware upgrade. Reactivate device-specific security measures and replace network connections only after a successful firmware upgrade.
- Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks.
Rockwell Automation is currently investigating additional long-term mitigation strategies that include, but are not limited to:
- Additional techniques to verify the authenticity of firmware updates to help reduce the likelihood of file tampering.
- Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
Reference http://www.ab.com/networks/architectures.html for comprehensive information about improving your control system to implement validated architectures designed to deliver layered-security and defense-in-depth.
KCS Status
Flagged - Formatting
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1756 ControlLogix I/O
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
Potential Security Vulnerabilities
Rockwell Automation has identified three potential security vulnerabilities related to the web interface of the 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Specifically, the risks include the following:
- The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.
- An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.
- The potential for web redirection, which could allow the Product to be used in a social engineering attack.
- An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.
- The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.
Risk Mitigation
None of these issues results in the Product’s web pages or other Product functions being compromised or otherwise affected.
These potential security vulnerabilities are corrected in:
- 1756-ENBT Version 4.008
- 1756-EWEB Version 4.009
The best way to mitigate the risk associated with these issues is to employ the following in the design of network architecture:
- Layered security.
- Defense-in-depth methods.
Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
Additionally, to help mitigate the risk associated with the cross-site scripting potential vulnerability, certain web browsers and/or browser add-ons can be used. Internet Explorer Version 8 (which is currently in beta release) has cross-site scripting protection built-in. Additionally, the NoScript add-on for the FireFox browser can help prevent cross-site scripting attacks.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security/.
REFERENCES
http://www.kb.cert.org/vuls/id/124059
http://www.kb.cert.org/vuls/id/619499
http://www.kb.cert.org/vuls/id/882619
Industry Advisory - CIP: Rockwell Automation ControlLogix 1756-ENBT/A WebServer Vulnerabilities
KCS Status
Released
Medium
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
ControlLogix 1756-ENBT/A Ethernet/IP Bridge
CVSS Scores:
5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability
Description
Rockwell Automation has identified a potential security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Details of this potential vulnerability are as follows:
- The potential for an unauthorized replacement of Rockwell Automation Product firmware with a corrupted firmware image that may render the Product inoperable and/or change its otherwise normal operation.
The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product and other components dependent on the Product. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.
To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to Industrial Network Architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
- Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).
In addition to these short-term mitigation strategies, Rockwell Automation continues our investigation and evaluation of other long-term mitigation strategies that include, but are not limited to:
- Product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.
- Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.
For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at https://www.rockwellautomation.com/global/capabilities/industrial-security/overview.page.
KCS Status
Released
Critical
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
MicroLogix Controllers
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Password Security Vulnerability in MicroLogix™ Controllers
Description
Password Security Vulnerability in MicroLogix™ Controllers
Issue date December 18, 2009. Updated September 27, 2011.
Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").
Vulnerability Details:
The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept and decipher the Product’s password and potentially make unauthorized changes to the Product’s operation.
--- Update begins here ---
Vulnerability Mitigation
The password mechanism used between RSLogix 500 software and MicroLogix controllers (1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx) has been enhanced to mitigate risks relating to this specific vulnerability. Concerned customers are encouraged to upgrade RSLogix 500 software to version 8.4 or greater.
--- Update ends here ---
In addition to the recommended software upgrade, Rockwell Automation recommends customers take additional steps as outlined below to further reduce associated security risk from this vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too (Note: when possible, multiple strategies should be employed simultaneously):
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
- Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.
Rockwell Automation remains committed to making additional security enhancements to our products and systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Critical
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1747-L5x, 1785-Lx
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
Issued February 2, 2010. Updated March 3, 2010 - Version 1.2
Updated March 19, 2013 (see below)
Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.
Details of this potential vulnerability to the affected Product are as follows:
The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept communications between a Product and an authorized software client to gain access to the Product and interrupt its intended operation.
Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.
To help reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):
1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:
a. The 1747-L5x firmware should be OS Series C FRN 10, or higher.
b. 1785-Lx processor firmware should be at or above the following (refer to included table):
| Catalog Number | Series A | Series B | Series C | Series D | Series E | Series F |
| Enhanced | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L11B | R.2 | U.2 | L.2 | K.2 | ||
| 1785-L20B | R.2 | U.2 | L.2 | K.2 | ||
| 1785-L30B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L40B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L40L | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L60B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L60L | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L80B | U.2 | L.2 | K.2 | |||
| Protected | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L26B | R.2 | U.2 | L.2 | K.2 | ||
| 1785-L46B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L46L | S.2 | U.2 | ||||
| 1785-L86B | U.2 | L.2 | K.2 | |||
| Ethernet | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L20E | U.2 | L.2 | K.2 | A.2 | ||
| 1785-L40E | U.2 | L.2 | K.2 | A.2 | ||
| 1785-L80E | U.2 | L.2 | K.2 | A.2 | ||
| ControlNet | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L20C15 | U.2 | L.2 | K.2 | E.2 | ||
| 1785-L40C15 | U.2 | L.2 | K.2 | E.2 | ||
| 1785-L46C15 | K.2 | E.2 | ||||
| 1785-L60C15 | L.2 | |||||
| 1785-L80C15 | L.2 | K.2 | E.2 |
2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.
3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
4. For PLC5 controllers, enable and configure "Passwords and Privileges" to restrict access to critical data and improve password security.
5. For SLC controllers, enable static protection via RSLogix 500 on all critical data table files to prevent any remote data changes to critical data.
<START UPDATE>
Added: 19 Mar 2013
Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.
In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.
NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.
For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection
<END UPDATE>
6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
7. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
8. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
Rockwell Automation is committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk RnaUtility.dll Vulnerability
Description
Publicly disclosed September 13, 2011 as RSLogix 5000 Denial of Service Vulnerability
Updated October 5, 2011
This advisory is a replacement and update to AID#: 456065
On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix™ 5000 software that if successfully exploited, may result in a Denial of Service condition. Since the release of this information, we have been evaluating the specific vulnerability and associated risk.
We have confirmed the existence of this vulnerability in a particular software service employed by RSLogix 5000 and FactoryTalk®-branded Rockwell Automation software products.
Affected Products:
| Product Description | Affected Versions |
| RSLogix 5000 software | Versions V17, V18 and V19 |
| All FactoryTalk-branded software | CPR9 and CPR9-SR1 through SR4 |
Vulnerability Details and Impacts:
The particular vulnerability affects a software service in Rockwell Automation’s FactoryTalk Services Platform (FTSP). Although the installation of FTSP is optional, the specific service is also employed separately with a variety of Rockwell Automation software applications.
The Rockwell Automation Security Taskforce has determined that exploitation of this vulnerability can result in a potential Denial of Service (DoS) in RSLogix 5000 software. Specifically, it can result in RSLogix 5000 being unable to publish information to FactoryTalk Diagnostics and FactoryTalk AssetCentre. Additionally, exploitation can lead to a potential for a DoS and Denial of View (DoV) condition to other affected FactoryTalk-branded software. Such DoS and DoV conditions can prevent affected software from establishing communication or maintaining information exchange with servers and other control system devices.
There is no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.
Vulnerability Mitigation:
A software patch for affected FactoryTalk Services Platform and RSLogix 5000 software has been released. Rockwell Automation recommends concerned customers apply this patch roll-up at their earliest convenience:
| Recommended | Product Description | Current Version | Recommendations |
| FactoryTalk Services Platform (FTSP) | CPR9, CPR9-SR1, CPR9-SR2, |
Apply patch roll-up: http://rockwellautomation.custhelp.com/app/answers/detail/a_id/458689 | |
| RSLogix 5000 | V17, V18, V19 |
NOTE: FactoryTalk Services Platform CPR7 and earlier and RSLogix 5000 V16 and earlier are not affected by this vulnerability.
Other Mitigation Techniques:
We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and follow good security practices and system design.
Rockwell Automation, in collaboration with NitroSecurity, has released a specific SNORT® signature suitable for many popular Intrusion Detection Systems (IDS). Use of this signature can help further reduce risk of successful remote exploitation of this vulnerability. This signature has been supplied to the QuickDraw SCADA IDS project, originally funded by US Department of Energy, for inclusion in the QuickDraw signature database. http://www.digitalbond.com/tools/quickdraw/
Rockwell Automation has evaluated Symantec Endpoint Protection (SEP) and validated a rule that blocks the known exploitation for SEP. We recommend that SEP definitions be kept up to date. For more information, refer to: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24527
In addition, the following security strategies are some techniques that will help reduce risk and enhance overall control system security:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
3. Configure firewall ingress/egress rules to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:
1330
1331
1332
4241
4242
4445
4446
5241
6543
9111
60093
49281
4. Evaluate firewall configurations to ensure other appropriate traffic is blocked.
5. Use antivirus/antimalware and endpoint security solutions and verify security definitions for are kept up to date.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Critical
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
FactoryTalk Historian SE
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FT Historian SE OSIsoft PI Data Archive Vulnerabilities
Description
October 1st, 2015 - Version 1.0
On August 13th 2015, the Rockwell Automation Security Taskforce became aware of an advisory published by ICS-CERT (ICSA-15-225-01), which stated that OSIsoft disclosed and resolved 56 security vulnerabilities in their PI Server 2015 release. In addition to PI Server 2015, OSIsoft has also released PI Server 2012 SP1, which includes a subset of the vulnerabilities fixed in the 2015 version. OSIsoft is strongly recommending that users upgrade to the PI Server 2015 release.
FactoryTalk Historian SE includes the OSI PI Server 2012 product, including the PI Data Archive component, in the standard product image. As part of this process, Rockwell Automation has investigated the reported vulnerabilities, and has concluded that FT Historian SE customers are likely vulnerable to these same set of vulnerabilities as the PI Server product. At the time of publication, no known public exploits exist at this time for these vulnerabilities.
Details relating to these vulnerabilities, the known affected platforms and recommended mitigations are contained herein.
AFFECTED PRODUCTS
- FactoryTalk Historian SE (9518-HSEx), Versions 2.00.00, 2.10.00, 2.20.00, 3.01.00 and 4.00.00
Rockwell Automation is continuing to investigate these vulnerabilities and is actively determining future plans to address them, including incorporating the updated OSI PI Server into FactoryTalk Historian Server. This advisory will be updated when these plans are determined, as well as when updated software is available for customers to upgrade their systems. We recommend that customers apply the mitigations detailed below and subscribe to this article to receive the abovementioned notifications when updated.
VULNERABILITY DETAILS
According to both the ICS-CERT and OSIsoft disclosures, a portion of highest-severity vulnerabilities may allow a remote code injection by an attacker who sends a specially crafted sequence of packets to the PI Server contained in FT Historian SE.
To be successful, the attacker must have network connectivity to reach the server running FT Historian SE and be able to access port 5450 on that system. A successful exploit would allow an attacker to gain full privileges on the Windows system. With this level of access, an attacker could tamper with the system or product binaries, read and write arbitrary data, and/or tamper with user accounts on the system.
According to these disclosures, these vulnerabilities can also be used to create a Denial-of-Service (DoS) condition on the target server, rendering the FT Historian SE server unavailable to the automation system, and potentially cause either loss or corruption of the PI Server data.
RISK MITIGATIONS
- Limit access to PI Server Port 5450, which reduces exposure to the highest-rated vulnerabilities.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
ADDITIONAL LINKS
- OSIsoft Releases Multiple Security Updates for the PI System (OSIsoft)
- PI System Firewall Port Requirements (OSIsoft, Registration Required)
- Rockwell Automation Security Advisory Index, Knowledgebase article KB:54102
KCS Status
Released
Critical
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2015-6492, CVE-2015-6491, CVE-2015-6490, CVE-2015-6486, CVE-2015-6488
Products:
MicroLogix 1100 and 1400 controller
CVSS Scores:
7.5, 3.7, 9.8, 4.6, 4.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix 1100 and 1400 Controller Vulnerabilities
Description
Version 2.0 - December 8th 2015 (Original Release: October 27th 2015)
From June through October 2015, Rockwell Automation was notified of security vulnerabilities discovered in the Allen-Bradley MicroLogix 1100 and/or MicroLogix 1400 product families. One of these notifications was the security vulnerability (KB731427) previously disclosed during DEFCON 23 in August 2015.
As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has reproduced all of these vulnerabilities in both the MicroLogix 1100 and MicroLogix 1400 product families. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.
Details relating to these vulnerabilities, the known affected platforms and recommended countermeasures are contained herein.
AFFECTED PRODUCTS
- 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.003 and earlier.
- 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.
VULNERABILITY DETAILS
Vulnerability #1: Remote Code Execution through Stack-based Buffer Overflow
A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.
This vulnerability applies to both the MicroLogix 1100 and MicroLogix 1400 platforms. However, at this time a fix is only available for the MicroLogix 1100 product family. A future product update for the MicroLogix 1400 will be available in the November 2015 timeframe, and will include this vulnerability fix. Rockwell Automation will update this advisory at the time of the release.
03-DEC-2015 UPDATE: Version 15.004 is now available for the MicroLogix 1400 product. See below for more details.
CVE-2015-6490 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vulnerability #2: Product Denial of Service
A Denial of Service ("DoS") condition may result on the MicroLogix 1100/1400 when an affected product receives a specific malicious web request, which would require user action to power cycle the product and restore it to a working state. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability. The impact to the user’s automation system would be highly dependent on the mitigations that the user may already employ.
CVE-2015-6492 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Vulnerability #3: Remote File Inclusion
A Remote File Inclusion condition may result on the MicroLogix 1100/1400 when an attacker crafts a malicious link, using the built-in feature to "redirect" outside web content into the product’s web page frame. This outside web content could contain malicious content that would target the unsuspecting user’s web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ.
A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.
This vulnerability was first disclosed in publication KB731427 and ICS-ALERT-15-225-02A in August 2015.
CVE-2015-6491 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Vulnerability #4: Stored Cross-site Scripting ("XSS")
Ilya Karpov of Positive Technologies identified a XSS vulnerability in both the MicroLogix 1100/1400. This vulnerability may allow an attacker to execute requests inject and store Javascript in the product’s web server, which would be executed on the user’s web browser when accessing the embedded web server function. The stored Javascript may be used to unknowingly execute web requests in the context of the user who is viewing the page. A factory reset is required to remove the stored Javascript.
CVE-2015-6488 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
Vulnerability #5: Privilege Escalation through Structured Query Language ("SQL") Injection
Ilya Karpov of Positive Technologies has identified a Privilege Escalation vulnerability in the MicroLogix 1100/1400. Privilege Escalation may result when an attacker tricks an authorized user (through social engineering/phishing) to click on a specific and malicious link, which allows the attacker to create or escalate the privileges of an existing user to the administrative level. An authorized administrator is required to undo the changes made after the attack.
CVE-2015-6486 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L)
For additional information on CVSS v3 metrics, vectors, and scores, please see the First’s Common Vulnerability Scoring System Version 3.0.
RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.
- Update supported products based on this table:
Product Family Catalog Numbers Hardware Series Vulnerabilities Fixed Suggested Actions MicroLogix 1100 1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWDSeries B 1, 2, 3, 4, and 5 - Apply FRN 15.000 (Downloads)
- Apply the additional mitigations described below
MicroLogix 1100 1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWDSeries A None - Apply the mitigations described below MicroLogix 1400 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBASeries B 1, 2, 3, 4, and 5. - Apply FRN 15.004(Downloads)
- Apply the additional mitigations described below
MicroLogix 1400 1766-L32AWA
1766-L32AWAA
1766-LK32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBASeries A None - Apply the mitigations described below - Disable the web server on the MicroLogix 1100 and 1400, as it is enabled by default. See KB732398 for detailed instructions on disabling the web server for each controller platform.
- Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
- Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
LINKS
- Security Advisory Index, Knowledgebase article KB54102
- KB732398 Disable Web Server on MicroLogix
- ICS-CERT Advisory ICSA-15-300-03A Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A)
KCS Status
Released
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2010-2568
Products:
RSLinx Classic (Single Node
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™
Description
Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™
Released: 21 July 2010 Updated: 10 August 2010
Multiple credible sources disclosed that in the days and months prior to 14 July 2010 a series of cyber events occurred that took advantage of a previously unknown Windows™ vulnerability and delivered a specially crafted payload of malware that targeted industrial control systems, SCADA/critical infrastructure processes specifically. Technical details and a patch for the Windows vulnerability used during these events have been released by Microsoft in the recently updated Microsoft Security Advisory (2286198) v2.0 dated 2 August 2010. The specific malware, commonly known as W32.Stuxnet, has been analyzed by numerous antivirus vendors and is a known threat Windows®-based systems.
Rockwell Automation recommends that all industrial control system users, regardless of the make or brand of components employed within the system, take necessary steps to safeguard against potential future attacks of this type by implementing good cyber security measures as outlined below.
Background
A Windows™ operating system vulnerability known as the Shortcut Icon Loading Vulnerability (CVE-2010-2568) was confirmed as a means to allow malware commonly known as W32.Stuxnet to load and execute on PCs. The malware has also been confirmed to specifically target Siemens WinCC and PCS-7 SCADA software products. These products are typically used to control critical infrastructure processes that include power generation, power distribution, water/wastewater and other similar applications.
Rockwell Automation continues to closely monitor every aspect of this situation for new information and developments in order to provide our customers with timely and appropriate advice on this matter. Furthermore, we are continuing to work closely with appropriate authorities to review our proactive plans.
Given that industrial applications are known to heavily rely on mission-critical products built on the Windows operating system, Rockwell Automation is issuing guidance for all industrial control system customers. The following measures are intended as additions to a company’s own security policies and can help to reduce associated risk and enhance control system security.
Vulnerability Description
The Shortcut Icon Loading Vulnerability currently uses USB drives as a means of transport to infect a PC, and does not rely on user interaction or the optional AutoPlay feature employed by the Windows operating system for devices that connect to USB ports.
The Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010 details the threat and risk as follows:
What causes the vulnerability?
When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability?
An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.
An attacker could also setup a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).
IMMEDIATE RECOMMENDATIONS
Rockwell Automation has compiled the following immediate recommendations that include advice from Microsoft, Department of Homeland Security (DHS)/ICS-CERT plus added specific Rockwell Automation recommendations that can help mitigate the threat and simultaneously enhance the security of control systems:
MICROSOFT recommends immediate application of a Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010.
NOTE: Rockwell Automation’s Patch Qualification team has completed an initial and partial qualification of the Microsoft Patch 2286198. See Rockwell Automation’s Immediate Recommendations below for additional information.
DHS/ICS-CERT recommends concerned users immediately implement the following measures:
Mitigations
- Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
- Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.
Specific to this Shortcut Icon Loading Vulnerability and the specific W32.Stuxnet virus, malware samples were provided to the antivirus vendor community. Most major antivirus suppliers have already released updated virus definitions to contain and remove the malware.
- ICS-CERT recommends consulting antivirus vendors and to consider scanning systems with current antivirus software.
NOTE: Rockwell Automation software is proactively tested for compatibility with Symantec’s Norton Antivirus software.
DHS/ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report "USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure."
www.us-cert.gov/control_systems/pdf/ICS-CERT%20CSAR-USB%20USAGE.pdf
Additional DHS/US-CERT Security Tips for use of caution with USB drives can be found here:
www.us-cert.gov/cas/tips/ST08-001.html
ROCKWELL AUTOMATION recommends concerned customers take the following additional precautions to enhance protection to industrial control systems:
Mitigations
- Apply the Microsoft Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046.
NOTE: The Rockwell Automation Patch Qualification Team Partially Qualified KB2286198 on 9 August 2010, with Full Qualification on 19 August 2010.
Go to RAid:35530 for more specific information regarding the qualification of this patch. - Restrict control system access to only those authorized to work with these systems.
- Make sure that all control system PCs are running end-point protection software (e.g. Antivirus, Anti-malware) and that all signatures are up to date.
- Make sure that all control system PCs follow a regimented, timely patch management process. Before applying any patch, Rockwell Automation’s recommends customers confirm that the patch has been qualified by the Rockwell Automation Patch Qualification service (www.rockwellautomation.com/security).
- Where practical, disable all unused USB ports on control system PCs.
- Consider alternatives to USB drives (e.g. network file transfer) for transferring data files to the control system
- Discontinue use of any USB drive or similar device if the validity, authenticity, and security of the hardware should come in question.
- Purchase USB drives from trusted sources.
- Only use USB drives manufactured by a trusted vendor
- Format USB drives on a non-mission critical computer that is running up to date end-point protection software (e.g. Antivirus, Anti-malware) prior to connecting the USB drive to any critical industrial control system equipment.
- Maintain physical security for USB drives, dongles and keys to ensure only authorized users have access and usage rights.
- Should a failure in physical security policy regarding USB drives be identified, perform step 9 (format USB drive on non-mission critical computer) prior to subsequent connecting to any control system equipment. Seek instructions from supplier of USB dongles and keys prior to any further use on control system equipment.
NOTE: Similar caution with optical media should be employed as with USB drives. Software delivered on CD+/-R, DVD+/-R etc. non-production optical media (e.g. user-generated, "burned" not "pressed" media) is presumed higher risk than production-grade media.
As more information becomes known, Rockwell Automation expects these recommendations will be refined to help further protect control systems from the resulting risk.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security through the use of layered security and defense in depth practices when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at www.rockwellautomation.com/security.
KCS Status
Released
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
2711P PanelView Plus 6 Logic Modules, POINT I/O Communication Interfaces, 2711P PanelView Plus 6 400-1500
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
SCADAPass Default Passwords
Description
Version 1.0 – January 11th 2016
In January 2016, SCADA Strange Love, an independent group of information security researchers, included several Rockwell Automation products in a project they published called SCADAPass.
SCADAPass contains a list of default passwords in popular industrial control systems ("ICS") and supervisory control and data acquisition ("SCADA") products, including programmable logic controllers ("PLCs") and human-machine interfaces ("HMIs"). Default credentials may be used by an attacker to gain privileged access to remotely accessible assets if a user does not take explicit action to change the default user credentials.
As part of this process, Rockwell Automation evaluated the included products in SCADAPass, and determined that all of the products’ default passwords are changeable by the user. Directions on how to change these passwords are found in the respective product manuals, which can be found in the table below.
INCLUDED PRODUCTS
- 1756-EN2TSC
- 1756-EWEB
- 1734-AENT
- MicroLogix 1400
- MicroLogix 1100
- PanelView Plus 6
RISK MITIGATIONS
- Rockwell Automation strongly recommends that asset owners evaluate the passwords used in their production assets, and apply the following suggested mitigations which are applicable:
- Establish and enforce password policies for maximum age of passwords, minimum password length, minimum password complexity, and password re-use.
- Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
LINKS
KCS Status
Released
Critical
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-0868
Products:
MicroLogix 1100 Web Server Buffer Overflow
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix 1100 Web Server Buffer Overflow
Description
Version 1.0 – January 26th 2016
In December 2015, Rockwell Automation was notified by ICS-CERT of a Buffer Overflow security vulnerability discovered in the web server of the Allen-Bradley MicroLogix 1100 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified this discovery and released revised product firmware to address associated risk. ICS-CERT published an advisory (ICSA-16-026-02) to cover this vulnerability.
Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.
AFFECTED PRODUCTS
- 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 15.000 and earlier.
VULNERABILITY DETAILS
Remote Code Execution through Stack-based Buffer Overflow
A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a request from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.
CVE-2016-0868 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.
- Update supported products based on this table:
Product Family Catalog Numbers Hardware Series Suggested Actions MicroLogix 1100 1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWDSeries B - Apply FRN 15.002
(Downloads)- Apply the additional
mitigations described below1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWDSeries A - Apply the additional
mitigations described below - Disable the web server on the MicroLogix 1100, as it is enabled by default. See KB 732398 for detailed instructions on disabling the web server for each controller platform.
- Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
- Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
LINKS
- Security Advisory Index, Knowledgebase article KB:54102
- KB732398 Disable Web Server on MicroLogix
KCS Status
Released
Medium
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-2277
Products:
Integrated Architecture Builder (IAB)
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Integrated Architecture Builder (IAB) Access Violation
Description
Version 1.0 – February 24th 2016
A vulnerability has been discovered by Ivan Javier Sanchez of Nullcode Team in the Integrated Architecture Builder (IAB) tool. This tool is used by our customers to configure their Logix-based automation systems, select hardware, and generate bills of material for applications including controllers, I/O, networks, drives, cabling & wiring, motion control, and other devices.
The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the IAB tool. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. At this time there is no known publicly available exploit code.
Rockwell Automation has verified the validity of Mr. Sanchez’s discoveries and a new software release has been issued for Integrated Architecture Builder which addresses the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- Integrated Architecture Builder, Versions 9.6.0.7 and earlier
- Integrated Architecture Builder, Versions 9.7.0.0 and 9.7.0.1
VULNERABILITY DETAILS
IAB has a capability to open an existing project file containing a control system hardware definition so that the user can create a validated bill of material. The discovered vulnerability is within the IAB.exe code that parses this project file content. In certain cases where a uniquely crafted or altered file is used, the IAB.exe parser code execution can allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.
Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace project files with specifically created or modified project files that have been constructed to use this condition to successfully execute malicious code.
Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
CVE-2016-2277 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
CUSTOMER RISK MITIGATIONS AND REMEDIATION
Customers using affected versions of the Integrated Architecture Builder are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Do not open untrusted project files with IAB.exe.
- Upgrade Integrated Architecture Builder V9.6.0.7 and earlier to either V9.7.0.2+ or V9.6.0.8+ (available now) using Current Program Updater. Current Program Updater is a program that is installed on your computer when you install Integrated Architecture Builder. The User Guide to Current Program Updater is built into the application should you need additional information.Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
PowerFlex 7000 Writeable Parameters
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
PowerFlex 7000 Writeable Parameters
Description
PowerFlex 7000 Writeable Parameters
Version 1.0 - June 6th, 2016
This advisory is intended to raise awareness to control system owners and operators of PowerFlex 7000 medium voltage drives. A January 2016 presentation at the S4 ICS Security Conference highlighted a potential weakness in Variable Frequency Drives that allows unauthorized users to change configuration parameters in these devices. The presentation highlighted products from four vendors including Rockwell Automation. This presentation spawned several news articles, including one entitled "An Easy Way for Hackers to Remotely Burn Industrial Motors" from WIRED Magazine. This article reminds us that cybersecurity threats are present and not always easy to anticipate. Unfortunately, neither the article’s author, Kim Zetter, nor her source, Reid Wightman, have contacted Rockwell Automation at the time of writing with any specific information -- so we can only try to guess how their statements apply to our drives.
This article implies that all the drives they reference can be easily accessed and provide an easy means to change parameters, that could result in motor damage. It overlooks many self-monitoring features that are built into modern drives to prevent changes to parameters while the drive is running, detecting improper operation and monitoring external sensors for equipment, such as motors that are exceeding design parameters.
Variable frequency drives, by their nature, are designed to support a wide variety of applications and it is possible that the improper setting of a parameter or parameters can create application issues. Rockwell Automation is aware of this and constantly looks for ways to eliminate these situations or, where the possibility is created by a customer need, alert the user to the problem with a fault or error message before it causes potential damage.
RISK MITIGATIONS
Below are recommended mitigations and resources to help protect your deployed Rockwell Automation products, including variable frequency drives. We strongly recommend that you evaluate your current products and environment, and apply the following mitigations where applicable.
- Review and employ the recommendations in the Converged Plantwide Ethernet Design and Installation Guide (DIG). It contains important information relating to proper network design practices, including aspects of security capabilities available through the network infrastructure.
- Consider using Rockwell Automation’s FactoryTalk AssetCentre. Version 6.0 offers compatibility with drives. AssetCentre can be configured to automatically backup your configuration, and compare it to a known good version, and log any changes into FactoryTalk Audit.
- Use trusted software, software patches, and anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users of the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that Internet access is carefully evaluated, protected, and controlled.
- Locate control system networks and devices behind firewalls, and use proper techniques to isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to Rockwell Automation’s Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to the most up-to-date information about security matters that affect Rockwell Automation products.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-5645
Products:
MicroLogix 1400 SNMP Credentials
CVSS Scores:
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
Version 1.0 - AUG-11-2016
In June 2016, Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group, reported to Rockwell Automation that an undocumented and privileged Simple Network Management Protocol ("SNMP") community string exists in the MicroLogix™ 1400 Programmable Logic Controller ("PLC") product. Knowledge of the undocumented community string may allow an attacker to make unauthorized changes to the product’s configuration, including firmware updates.
Rockwell Automation has evaluated the report and confirmed the existence of the undocumented community string in the MicroLogix 1400. We have further investigated and discovered that one of the SNMP community strings is hardcoded and cannot be changed by the user. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are also provided below.
AFFECTED PRODUCTS
- 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, all versions.
VULNERABILITY DETAILS
SNMP is a standard protocol employed by many types of internet protocol ("IP") based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product’s firmware, including the capability of applying firmware updates to the product. The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product..
By default, the MicroLogix 1400 enables SNMP and has these community strings in the product:
- "public": allows read-only access.
- "private": allows read-write access; is hardcoded; and is used by ControlFlash for firmware updates.
- "wheel": allows read-write access and was previously undocumented for this product
Due to the nature of this product’s firmware update process, this capability cannot be removed from the product. Instead, mitigations are offered to reduce risk of this capability being used by a malicious actor..
CVE-2016-5645 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
CUSTOMER RISK MITIGATIONS AND REMEDIATION
Customers using affected versions of the MicroLogix 1400 are strongly encouraged to evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously.
- Utilize the product’s "RUN" key switch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.
- Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP.
-
- Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
- Note: Changing the SNMP community strings is not an effective mitigation.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
KCS Status
Released
High
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
2711P PanelView Plus 6 Logic Modules, 2711P PanelView Plus 6 400-1500
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
PanelView Plus 6 700-1500 (7"-15" displays) with Open Test Port
Description
Version 1.0 - MAY 19, 2017
A vulnerability has been identified in select PanelView™ Plus 6 700-1500 (7" - 15" displays) graphic terminal products. The identified versions ship with an open test port that, if successfully exploited via Telnet, can allow a remote attacker to connect to a host device and cause changes as if the device were in a testing environment.
PanelView Plus 6 700-1500 (7" - 15" displays) graphic terminal products allow customers to monitor, control, and display the status of their application graphically within their system. These products are used across several industries, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the relevant mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
Any graphic terminals that are using OS 2.31 or greater are not affected by this vulnerability. The OS version can be found in the release notes for firmware.
Only firmware versions listed below are affected by this vulnerability. For information on how to identify the installed firmware version on your terminal, please see the following link: https://www.youtube.com/watch?v=nLPnBpMXqEs&t=9s
PanelView Plus 6 700-1500 (7" - 15" displays) Graphic Terminals and Logic Modules with the following firmware versions installed:
6.00.04
6.00.05
6.00.42
6.00-20140306
6.10.20121012
6.10-20140122
7.00-20121012
7.00-20130108
7.00-20130325
7.00-20130619
7.00-20140128
7.00-20140310
7.00-20140429
7.00-20140621
7.00-20140729
7.00-20141022
8.00-20140730
8.00-20141023
VULNERABILITY DETAILS
A remote, unauthenticated user could connect to a PanelView Plus 6 700-1500 (7" - 15" display) device by establishing a Telnet session with the panel. If a connection is made, the malicious user can get access to the test interface of the PanelView Plus 6 700-1500 (7" - 15" display) graphic terminal, allowing the attacker to potentially make disruptive changes and/or extract information from the device.
Rockwell Automation has evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected terminals are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Type of Device | Product Family | Suggested Actions |
| Graphic Terminals and Logic Modules | PanelView Plus 6 700-1500 (7"-15") | -V7.00: Apply V7.00-20150209 -Alternatively, disable TestMon on your device. For more information, visit KnowledgeBase Article 1046760 |
GENERAL SECURITY GUIDELINES
1. Block all traffic to EtherNet/IP™ devices or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
2. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
3. Locate control system networks and devices behind firewalls, and isolate them from the rest of the business network.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices where they are used.
5. When downloading updates, make sure the site or source of the update can be trusted.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: mailto:Secure@ra.rockwell.com.
ADDITIONAL LINKS
54102 - Industrial Security Advisory Index
Industrial Firewalls within a CPwE Architecture
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
KCS Status
Released
Critical
Published Date:
August 26, 2019
Last Updated:
August 26, 2019
CVE IDs:
CVE-2018-19615, CVE-2018-19616
Products:
1408 PowerMonitor 1000
CVSS Scores:
9.1, 7.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Vulnerabilities Discovered in PowerMonitor 1000 Monitor
Description
Version 1.2 – August 26, 2019
Version 1.1 – February 28, 2019
Version 1.0 – February 13, 2019
Rockwell Automation® Product Security Incident Response Team ("RA PSIRT") was made aware of two vulnerabilities logged in the National Vulnerability Database ("NVD") regarding the Allen-Bradley PowerMonitor™ 1000 monitors. The public disclosure includes details which can allow for potential reproduction and exploitation of these vulnerabilities.
PowerMonitor products are energy metering devices that integrate with existing energy monitoring systems to provide load profiling, cost allocation, and/or energy control information for customers’ systems.
UPDATE v1.2 - Rockwell Automation has released a remediation that addresses both vulnerabilities. Please see the Risk Mitigations and Recommended User Actions section for additional details.
Customers using this product are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional security guidelines are provided in the Risk Mitigations and Recommended User Actions sections below.
AFFECTED PRODUCTS
- PowerMonitor 1000 Monitors, All Versions prior to v4.019.
VULNERABILITY DETAILS
Vulnerability #1: Cross-Site Scripting
A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to inject arbitrary code into a targeted user’s web browser. The impact to the user is highly dependent on both the content of the exploit developed by the threat actor as well as the mitigations that the user may already employ in their system. The target of this type of attack is not the device itself; instead, it is used as a vehicle to deliver an attack to the web browser.
CVE-2018-19615 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.4/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H.
Vulnerability #2: Authentication Bypass
A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to use a proxy to enable certain functionality that is typically available to those with administrative rights for the web application. Upon successful exploitation, a threat actor could potentially disrupt user settings and device configuration.
CVE-2018-19616 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed. RA PSIRT is monitoring the situation and will provide specific remediation information when available.
Customers are directed to the general risk mitigation strategies provided below, and are encouraged when possible, to employ multiple strategies simultaneously.
| Vulnerability | Catalog Numbers | Suggested Actions |
| #1: Cross Site Scripting | 1408-BC3A-ENT 1408-EM3A-ENT 1408-TS3A-ENT |
|
| #2: Authentication Bypass | 1408-BC3A-ENT 1408-EM3A-ENT 1408-TS3A-ENT |
|
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure access for unauthorized sources are blocked.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- When remote access is required, use secure methods, such as virtual private networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ICSA-19-050-04 Rockwell Automation Allen-Bradley Power Monitor 1000
REVISION HISTORY
| Date | Version | Details |
| 26-August-2019 | 1.2 | Firmware Revision 4.019 released, addresses vulnerabilities |
| 28-February-2019 | 1.1 | Updated with ICS-CERT links, corrected typos, added security mitigations |
| 13-February-2019 | 1.0 | Initial Release |
Attachments
File
KCS Status
Released
High
Published Date:
August 02, 2019
Last Updated:
August 02, 2019
CVE IDs:
CVE-2019-10970
Products:
PanelView 5510
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Ability to gain root-user level access to PanelView 5510 Graphic Terminals
Description
Version 1.1 - August 2, 2019
Version 1.0 - July 9, 2019
Several customers contacted Remote Support about an issue with their PanelView™ 5510 graphic terminals that, upon further investigation, could expose a potential vulnerability in the terminal. If successfully exploited, this vulnerability may allow a threat actor to gain access to the file system on the terminal.
PanelView 5510 terminals are operator interface devices that monitor and control devices that are attached to certain Rockwell Automation® Programmable Automation Controllers via EtherNet/IP™. These products are used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this firmware in their product are encouraged to evaluate and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
PanelView 5510 Graphic Terminals
- All Versions manufactured before 2019/03/13 which have never been updated to V4.003, V5.002, or later.
VULNERABILITY DETAILS
A race condition exists in the boot process of the PanelView 5510 Graphic Display which in rare occasions results in a state that allows root-level access to the device’s file system. If VNC is enabled on the device, then a remote authenticated threat actor could leverage the vulnerability to gain root- level access to the device.
CVE-2019-10970 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using PanelView 5510 with manufacturing dates prior to 2019/03/13 are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update should disable the VNC server on the device. In addition, if possible, customers should remove peripherals such as keyboards and limit arbitrarily power cycling of the product. Additionally, customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines.
| Product Family | Actions | Notes |
| PanelView 5510 using v4 | Apply v4.003 or later | Download |
| PanelView 5510 using v5 | Apply v5.002 or later | Download |
GENERAL SECURITY GUIDELINES
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ICSA-19-190-02 Rockwell Automation PanelView 5510
REVISION HISTORY
| Date | Version | Details |
| 09-July-2019 | 1.0 | Initial Release |
| 02-August-2019 | 1.1 | Clarified Vulnerability Details and Risk Mitigation details |
Attachments
File
KCS Status
Released
Critical
Published Date:
May 20, 2019
Last Updated:
May 20, 2019
CVE IDs:
CVE-2019-0708
Products:
Third Party, Compliance / Audit Trail / Security, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, E-Plan, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, Raise Software, RSToolPak II, FactoryTalk View SE, Reporting, Interface Manager, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, ControlView, Advisor, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, RSPower, Entek, Knowledge Documentation, RSLogix Emulate 5, PBase, Build Utility, FactoryTalk Services Platform, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, PID Logistics 500, SoftLogix5800, RSMACC, FactoryTalk VantagePoint EMI, RSPowerTools, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, 100/150 PCD, Connected Components Workbench, Logix Emulate, ComplianceTrack, RSBizWare Scheduler, RSTools, Portlets, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, ERP Integration Gateway, ETL, Historical Transfer, ECO, Activities, RSTestStand, RSWorkbench, RS PMX CTM, RSBizWare Line Performance, Production Management Client, RSLadder, Data, RMA, DataSite Workbench, Logix Designer, Thin Client, FactoryTalk Integrator, FactoryTalk Network Manager, AI Emulate 500, RSPower32, AI Emulate 5, Administration, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, RSChart, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), API, AI-100/150, PCO Software (6723), Reports (Out-of-box), FactoryTalk Batch, PlantMetrics, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Process Designer, WINtelligent Trend, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, Authentication
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Notice Regarding BlueKeep: Windows Security Vulnerability (CVE-2019-0708)
Description
Version 1.0 – May 20, 2019
On May 14, 2019, Microsoft disclosed the existence of, and released the relevant patches for, a critical security vulnerability in relation to the Remote Desktop (RDP) functionality in Windows desktop and server operating systems. According to Microsoft’s disclosures, this vulnerability impacts older versions of Windows products up to Windows 7 and Windows Server 2008. Microsoft has also stated that it has not observed any evidence of attacks against this vulnerability, but that its presence poses a very serious threat that could expose users of the Remote Desktop functionality, including Rockwell Automation customers, to the potential of a rapidly spreading malware attack.
At this time, Rockwell Automation has not identified any products susceptible to this vulnerability. If any products are identified that could be potentially impacted, we will notify our customers with a post to KnowledgeBase, as appropriate.
Customers using affected versions of Windows operating systems are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations. Additional details relating to the Windows vulnerability, including affected products and recommended countermeasures, are provided herein.
VULNERABILITY DETAILS AND AFFECTED PRODUCTS
Customers should reference the Microsoft publication for details and list of affected products: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708.
RECOMMENDED USER ACTIONS
Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and vulnerability management program.
Customers using the affected operating systems are encouraged to evaluate and apply the Microsoft-provided patches at the earliest possible time. Rockwell Automation provides preliminary qualification for supported Microsoft operating systems. Customers can find the status of Rockwell Automation’s test results at any time by referencing its Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/qualifications.htm.
Customers who are unable to update should consider the alternative mitigations provided by Microsoft. Always refer to the Microsoft advisory for the most recent recommendations.
- Disable the RDP service.
- Consider impact of blocking the RDP service on critical hosts and be prepared to execute this if the need arises.
- Restrict RDP Traffic from untrusted networks (especially from external sources) if possible via a perimeter-based control such as firewall or IPS.
- Ports TCP/3389.
- Consider the impact of critical processes that require personnel to RDP into hosts before taking this action.
- Establish and execute a proper backup and disaster recovery plan for their organization’s assets.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
- Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to its Product Security Incident Response FAQ document.
Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to its systems in the future. For more information and for assistance with assessing the state of security of their existing control system, including improving their system-level security when using Rockwell Automation and other vendor controls products, customers can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 20-MAY-2019 | 1.0 | Initial release |
| 15-AUG-2019 | 1.1 | Update to title |
Attachments
File
KCS Status
Released - Edited
Critical
Published Date:
May 13, 2019
Last Updated:
May 13, 2019
CVE IDs:
CVE-2016-9343
Products:
SoftLogix5800, RSLogix Emulate 5000 / Studio 5000 Logix Emulate
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability
Description
Version 1.5 - May 13, 2019
A vulnerability exists in the Logix5000™ Programmable Automation Controller product line that, if successfully exploited, can either cause a Denial of Service ("DoS") or potentially allow an attacker to alter the operating state of the controller through a buffer overflow. Logix5000 is a product line of Programmable Automation Controllers used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; as well as automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting evaluations to help achieve completeness in its risk assessment and mitigation processes.
As of this announcement and to the knowledge of Rockwell Automation, there is no publicly available exploit code relating to this vulnerability.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply those mitigations that they deem applicable to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
UPDATE: Aug 21, 2018
New remediated firmware versions for the PowerFlex 700S drives with Phase II control with the embedded DriveLogix 5730 controller option installed have been released. See below for details.
AFFECTED PRODUCTS
UPDATE: Feb 13, 2017
Further internal investigation discovered that the DriveLogix™ platform is also affected by this vulnerability. DriveLogix is an embedded, high-performance Logix engine as a part of a PowerFlex® 700S drive solution, specifically for the PowerFlex 700S Drives with Phase II Control. Affected versions of DriveLogix, as well as mitigations to deploy for affected customers, are provided as below.
The affected firmware versions are listed, followed by a list of the products that utilize the affected firmware.
Note: Firmware versions (for all products) prior to Firmware Revision Number ("FRN ") 16.00 are not affected by this vulnerability.
- FRN 16.00
- 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (V16.020 through V16.022)
- ControlLogix® 5560 controllers (V16.020 thru V16.022)
- ControlLogix L55 controllers (V16.020 thru V16.022)
- ControlLogix 5560 Redundant controllers (All Versions)
- GuardLogix® 5560 controllers (All Versions)
- FlexLogix™ L34 controllers (All Versions)
- 1769 CompactLogix™ L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (V16.020 thru V16.023)
- 1768 CompactLogix L4x controllers (V16.020 thru V16.025)
- FRN 17.00
- 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (v17.003 and v17.004)
- SoftLogix™ 5800 controllers (All Versions)
- ControlLogix 5560 controllers (All Versions)
- GuardLogix 5560 controllers (All Versions)
- 1769 CompactLogix L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (All Versions)
- 1768 CompactLogix L4x controllers (All Versions)
- FRN 18.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix™ Emulate 5000 (All Versions)
- ControlLogix 5560 controllers (All Versions)
- ControlLogix 5570 controllers (All Versions)
- GuardLogix 5560 controllers (All Versions)
- 1769 CompactLogix L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (All Versions)
- 1768 CompactLogix L4x controllers (All Versions)
- 1768 Compact GuardLogix L4xS (All Versions)
- FRN 19.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix Emulate 5000 (All Versions)
- ControlLogix 5560 controllers (All Versions)
- ControlLogix 5570 controllers (All Versions)
- ControlLogix 5560 Redundant controllers (All Versions)
- GuardLogix 5560 controllers (All Versions)
- 1769 CompactLogix L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (All Versions)
- 1768 CompactLogix L4x controllers (All Versions)
- 1768 Compact GuardLogix® L4xS controllers (All Versions)
- FRN 20.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix Emulate 5000 (All Versions)
- ControlLogix 5560 controllers (V20.010 thru V20.013)
- ControlLogix 5570 controllers (V20.010 thru V20.013)
- ControlLogix 5560 Redundant controllers (V20.050 thru V20.055)
- ControlLogix 5570 Redundant controllers (V20.050 thru V20.055)
- GuardLogix 5560 controllers (V20.010 thru V20.017)
- GuardLogix 5570 controllers (V20.010 thru V20.017)
- 1769 CompactLogix L23x controllers (V20.010 thru V20.013)
- 1769 CompactLogix L3x controllers (V20.010 thru V20.013)
- 1769 CompactLogix 5370 L1 controllers (V20.010 thru V20.013)
- 1769 CompactLogix 5370 L2 controllers (V20.010 thru V20.013)
- 1769 CompactLogix 5370 L3 controllers (V20.010 thru V20.013)
- 1768 CompactLogix L4x controllers (V20.011 thru V20.016)
- 1768 Compact GuardLogix L4xS controllers (V20.011 thru V20.013)
- FRN 21.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix Emulate 5000 (All Versions)
- ControlLogix 5570 controllers (All Versions)
- ControlLogix 5570 Redundant controllers (All Versions)
- GuardLogix 5570 controllers (All Versions)
- 1769 CompactLogix 5370 L1 controllers (All Versions)
- 1769 CompactLogix 5370 L2 controllers (All Versions)
- 1769 CompactLogix 5370 L3 controllers (All Versions)
The products above are affected in the corresponding versions of firmware. Check the Updates/Risk Mitigations section below to verify that all functional versions of firmware include the latest security updates for this vulnerability in the event one of the aforementioned products is being used with a version of firmware that is not listed herein.
VULNERABILITY DETAILS
This vulnerability may allow an attacker to intentionally send a specific malformed Common Industrial Protocol ("CIP") packet to the product and cause a Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service ("DoS") condition. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the attacker to alter the operating state of the controller. This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.
CVE-2016-9343 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/.
RISK MITIGATIONS
Customers using affected controllers are encouraged to upgrade to an available firmware version that addresses the associated risk.
Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below, are similarly recommended. Employ multiple strategies when possible.
-
Update supported products based on this table:
| Type of Controller | Product Family | Catalog Numbers | Remediated Versions |
| Embedded Controller Option with PowerFlex 700S | DriveLogix 5730 | Catalog numbers beginning with 20D with a "K" or "L" in the 17th position For more information about these catalog numbers, see page 10 of the PowerFlex 700S Drives with Phase II Control Technical Data document | V16.23 V17.05 |
| Soft Controller | SoftLogix 5800 | 1789-Lx | V23: FRN 23.00 or later |
| Software (used by ControlLogix) | RSLogix Emulate 5000 | 9310-Wx | V23: FRN 23.00 or later |
| Standard Controllers | ControlLogix L55 | 1756-L55x | V16: FRN 16.023 or later |
| Standard Controllers | ControlLogix 5560 | 1756-L6 | V16: FRN 16.023 or later V20: FRN 20.014 or later |
| Standard Controllers | ControlLogix 5570 | 1756-L7 | V20: FRN 20.014 or later V23: FRN 23.012 or later V24 or later |
| Standard Controllers (Redundant) | ControlLogix 5560 | 1756-L6 | V20: FRN 20.056 or later |
| Standard Controllers (Redundant) | ControlLogix 5570 | 1756-L7 | V20: FRN 20.056 or later V24: FRN 24.052 or later |
| Small Controllers | CompactLogix L23x CompactLogix L3x | 1769-L23, 1769-L31, 1769-L32, 1769-L35 | V20: FRN 20.014 or later |
| Small Controllers | CompactLogix 5370 L1 CompactLogix 5370 L2 CompactLogix 5370 L3 | 1769-L1, 1769-L2, 1769-L3 | V20: FRN 20.014 or later V23: FRN 23.012 or later V24 or later |
| Small Controllers | CompactLogix L4x | 1768-L4x | V16: FRN 16.026 (Series A, B, C) FRN 16.027 or later (Series D) V20: FRN 20.014 or later (Series A, B, C) FRN 20.016 or later (Series D) |
| Safety Controllers | GuardLogix L4xS | 1768-L4xS | V20: FRN 20.018 or later |
| Safety Controllers | GuardLogix 5560 | 1756-L6S | V20: FRN 20.018 or later |
| Safety Controllers | GuardLogix 5570 | 1756-L7S | V20: FRN 20.018 or later V23: FRN 23.012 or later V24 or later |
Note: Customers using affected versions of FlexLogix, which is a discontinued product, are urged to contact their local distributor or Sales Office in order to upgrade to newer product lines that contain the relevant mitigations.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances.
- When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program mode in order to prevent other disruptive changes to your system.
- Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- Security Advisory Index, Knowledgebase Article ID 54102.
- ICS-CERT Advisory: Rockwell Automation Logix5000 Programmable Automation Controller Buffer Overflow Vulnerability.
REVISION HISTORY
| Date | Version | Details |
| 05-DEC-2016 | 1.0 | Initial release. |
| 16-DEC-2016 | 1.1 | Added details to indicate this is a CIP based packet and added mitigations for CIP networks. |
| 04-JAN-2017 | 1.2 | Clarified CompactLogix L4x and GuardLogix L4xS V20 affected versions, and added remediated GuardLogix L4xS version. |
| 13-FEB-2017 | 1.3 | Added details for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed. |
| 21-AUG-2018 | 1.4 | Added remediated versions of Firmware for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed. |
| 13-MAY-2019 | 1.5 | Fixed broken links and added RA contact information. |
Attachments
File
KCS Status
Released
High
Published Date:
April 30, 2019
Last Updated:
April 30, 2019
CVE IDs:
CVE-2019-10952, CVE-2019-10954
Products:
CompactLogix 5370
CVSS Scores:
8.6, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 30, 2019
Introduction
CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities
Executive Summary
CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities
Detailed Information
Rockwell Automation received two reports about potential vulnerabilities affecting versions of CompactLogix™ 5370 Programmable Automation Controllers. A successful exploitation of one of these potential vulnerabilities could result in a Denial of Service ("DoS") condition to the web portal of the affected device. A successful exploitation of the second vulnerability could potentially result in a DoS to the controller where it enters a major non-recoverable fault ("MNRF"). A MNRF is considered a safe state. Further details about MNRFs can be found in the vulnerability details section.
Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended security guidelines, are provided herein.
At the time of this writing, the Rockwell Automation® Product Security Incident Response Team ("PSIRT") is unaware of any active exploitation of these potential vulnerabilities.
Affected Products
- CompactLogix 5370 L1 controllers, versions 20 to 30 and earlier
- CompactLogix 5370 L2 controllers, versions 20 to 30 and earlier
- CompactLogix 5370 L3 controllers, versions 20 to 30 and earlier
- Compact GuardLogix® 5370 controllers, versions 20 to 30 and earlier
- Armor™ Compact GuardLogix 5370 controllers, versions 20 to 30 and earlier
Vulnerability Details
About Major Non-Recoverable Faults ("MNRFs")
If a MNRF occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into a Major Non-Recoverable Faulted state, which is considered safe. Recovery requires that you download the application program again.
Vulnerability #1: Email Object Stack Overflow Denial of Service
Rockwell Automation received a report describing a vulnerability where a remote, unauthenticated threat actor could send crafted SMTP configuration packets to port 44818 potentially causing a Denial of Service condition, where the controller enters a major non-recoverable faulted state ("MNRF").
CVE-2019-10954 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #2: Web Portal Denial of Service
Younes Dragoni of Nozomi Networks discovered a Denial of Service vulnerability in the web server of CompactLogix 5370 PLCs. By sending specific requests to the web server, a remote, unauthenticated threat actor could potentially force the web server to become unreachable, potentially preventing the user from gaining web access to view live controller data. A reset of the device is required to recover the web server. The control functions of the product are not affected by this vulnerability.
CVE-2019-10952 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
Risk Mitigation & User Action
- Rockwell Automation strongly recommends that customers use the latest available version of firmware to keep up to date with the latest features, anomaly fixes, and security improvements. Update to a version of firmware as listed below that mitigates the associated risk:
| Product Family | Actions | Notes |
| CompactLogix 5370 | Apply FRN 31.011 or later | Download |
| Compact GuardLogix 5370 | Apply FRN 31.011 or later | Download |
| Armor Compact GuardLogix 5370 | Apply FRN 31.011 or later; | Download |
- For EtherNet/IP™ based vulnerabilities, block all traffic to from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Stratix® switch users can use Device Manager or Studio 5000 Logix Designer® software to configure access control lists (ACL) to block/restrict ports. See section "Access Control Lists" in Stratix Managed Switches User Manual, publication 1783-UM007, for detailed instructions.
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that SMTP packets from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware key-switch setting, to which may be used to block unauthorized changes, etc.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
Attachments
File
High
Published Date:
April 23, 2019
Last Updated:
April 23, 2019
CVE IDs:
CVE-2019-10955
Products:
Compact Logix 5370, MicroLogix
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Open Redirect Vulnerability MicroLogix, CompactLogix 5370 Controllers
Description
Version 1.0 – April 23, 2019
Rockwell Automation received a report from ICS-CERT regarding an open redirect vulnerability in the web server of certain small Programmable Logic Controllers (PLCs) that, if successfully exploited, could allow a threat actor to inject arbitrary web content into the affected device’s web pages. Affected product families include CompactLogix™ 5370 controllers and MicroLogix™ controllers.
Customers using affected versions of this firmware are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
MicroLogix 1400 Controllers
- Series B, v15.002 and earlier
- Series A, All Versions
MicroLogix 1100 Controllers
- v14.00 and earlier
CompactLogix 5370 L1 controllers
- v30.014 and earlier
CompactLogix 5370 L2 controllers
- v30.014 and earlier
CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix® controllers)
- V30.014 and earlier
VULNERABILITY DETAILS
These devices contain a web server that accepts user inputs via web interface. A remote, unauthenticated threat actor could utilize this function in conjunction with a social engineering attack to redirect the user from the affected controller’s web server to a malicious website of the threat actor’s choosing. This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality.
CVE-2019-10955 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers are encouraged to assess their level of risk with respect to their specific applications and update to the latest available firmware revision that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.
| Product | Catalog Numbers | Suggested Actions |
| MicroLogix 1400 controllers, Series A | 1766-L32AWA |
|
| MicroLogix 1400 controllers, Series B | 1766-L32AWA |
|
| MicroLogix 1100 controllers | 1763-L16BWA |
|
| CompactLogix 5370 L1 controllers | 1769-L16ER-BB1B 1769-L18ER-BB1B 1769-L18ERM-BB1B 1769-L19ER-BB1B | Apply v31.011 or later (Download) |
| CompactLogix 5370 L2 controllers | 1769-L24ER-QB1B 1769-L24ER-QBFC1B 1769-L27ERM-QBFC1B | Apply v31.011 or later (Download) |
| CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers) | 1769-L30ER 1769-L30ER - NSE 1769-L30ERM 1769-L30ERMS 1769-L33ER 1769-L33ERM 1769-L33ERMS 1769-L36ERM 1769-L36ERMS 1769-L37ERMO 1769-L37ERMOS | Apply v31.011 or later (Download) |
GENERAL SECURITY GUIDELINES
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ICSA-19-113-01 Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers
Attachments
File
KCS Status
Released - Edited
Medium
Published Date:
April 04, 2019
Last Updated:
April 04, 2019
CVE IDs:
CVE-2018-15377
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5400/5410/5700 Device Reload Vulnerability
Description
Version 1.0 - April 4, 2019
Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This publication includes seven security advisories. One of these vulnerabilities affects the four Allen-Bradley® Stratix® and ArmorStratix™ products, which are listed in the Affected Products section below.
AFFECTED PRODUCTS
- Allen-Bradley Stratix 5400 Industrial Ethernet Switches - all versions PRIOR to 15.2(6)E2a
- Allen-Bradley Stratix 5410 Industrial Distribution Switches - all versions PRIOR to 15.2(6)E2a
- Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - all versions PRIOR to 15.2(6)E2a
- Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - all versions PRIOR to 15.2(6)E2a
VULNERABILITY DETAILS
Software Plug and Play Agent Memory Leak Vulnerability
A vulnerability in the Cisco Network Plug and Play agent, also referred to as the Cisco Open Plug-n-Play agent, of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device.
The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by sending invalid data to the Cisco Network Plug and Play agent on an affected device. A successful exploit could allow the attacker to cause a memory leak on the affected device, which could cause the device to reload.
The product security disclosure from Cisco for their IOS and IOS XE software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-pnp-memleak.
CVE-2018-15377 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Update the affected products per the table below:
| Product Family | Updates Available |
| Stratix 5400 Industrial Ethernet Switches | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 5410 Industrial Distribution Switches | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 5700 Industrial Managed Ethernet Switches | Apply FRN 15.2(6)E2a or later (Download) |
| ArmorStratix 5700 Industrial Managed Ethernet Switches | Apply FRN 15.2(6)E2a or later (Download) |
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 04-April-2019 | 1.0 | Initial release |
KCS Status
Released
High
Published Date:
April 04, 2019
Last Updated:
April 04, 2019
CVE IDs:
CVE-2018-0466, CVE-2018-0473, CVE-2018-15373, CVE-2018-0470, CVE-2018-0467
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
7.5, 7.4, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5400/5410/5700/8000/8300 Denial of Service Vulnerabilities
Description
Version 1.0 - April 4, 2019
Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. Five of these vulnerabilities affect the six Allen-Bradley Stratix® and ArmorStratix™ products listed in the Affected Products section below.
AFFECTED PRODUCTS
- Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches - all versions PRIOR to 15.2(4)EA7
- Allen-Bradley Stratix 5400 Industrial Ethernet Switches - v15.2(6)E0a and earlier
- Allen-Bradley Stratix 5410 Industrial Distribution Switches - v15.2(6)E0a and earlier
- Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - v15.2(6)E0a and earlier
- Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches - v15.2(6)E0a and earlier
- Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - v15.2(6)E0a and earlier
VULNERABILITY DETAILS
Vulnerability #1: Open Shortest Path First (OSPF v3) Denial of Service
A vulnerability in the Open Shortest Path First version 3 (OSPFv3) implementation in Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload.
The vulnerability is due to incorrect handling of specific OSPFv3 packets. An attacker could exploit this vulnerability by sending crafted OSPFv3 Link-State Advertisements (LSA) to an affected device. An exploit could allow the attacker to cause an affected device to reload, leading to a denial of service (DoS) condition.
The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ospfv3-dos.
CVE-2018-0466 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.
Vulnerability #2: Hypertext Transfer Protocol (HTTP) Denial of Service
A vulnerability in the web framework of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition on an affected device, resulting in a denial of service (DoS) condition.
The vulnerability is due to the affected software improperly parsing malformed HTTP packets that are destined to a device. An attacker could exploit this vulnerability by sending a malformed HTTP packet to an affected device for processing. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected device, resulting in a DoS condition.
The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos.
CVE-2018-0470 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.
Vulnerability #3: Precision Time Protocol (PTP) Denial of Service
A vulnerability in the Precision Time Protocol (PTP) subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Precision Time Protocol.
The vulnerability is due to insufficient processing of PTP packets. An attacker could exploit this vulnerability by sending a custom PTP packet to, or through, an affected device. A successful exploit could allow the attacker to cause a DoS condition for the PTP subsystem, resulting in time synchronization issues across the network.
The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ptp.
CVE-2018-0473 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/.
Vulnerability #4: IPv6 Hop-by-Hop Options Denial of Service
A vulnerability in the IPv6 processing code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload.
The vulnerability is due to incorrect handling of specific IPv6 hop-by-hop options. An attacker could exploit this vulnerability by sending a malicious IPv6 packet to or through the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device.
The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipv6hbh.
CVE-2018-0467 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.
Vulnerability #5: Software Cisco Discovery Protocol Denial of Service
A vulnerability in the implementation of Cisco Discovery Protocol functionality in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper memory handling by the affected software when the software processes high rates of Cisco Discovery Protocol packets that are sent to a device. An attacker could exploit this vulnerability by sending a high rate of Cisco Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.
The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-dos.
CVE-2018-15373 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Update the affected products per the table below:
| Product Family | Affected Versions | Updates Available |
| Stratix 5400 Industrial Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 5410 Industrial Distribution Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 5700 Industrial Managed Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E2a or later (Download) |
| Stratix 8300 Modular Managed Ethernet Switches | 15.2(4a)EA5 and earlier | Apply FRN 15.2(4)EA7 or later (Download) |
| Stratix 8000 Modular Managed Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E2a or later (Download) |
| ArmorStratix 5700 Industrial Managed Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E2a or later (Download) |
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
- Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used Rockwell Automation® products, see Knowledgebase Article ID 898270.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 04-April-2019 | 1.0 | Initial release |
KCS Status
Released
High
Published Date:
April 03, 2019
Last Updated:
April 03, 2019
CVE IDs:
CVE-2017-7924
Products:
MicroLogix 1100 Controllers
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix 1100 Controllers Malformed Packet Denial of Service
Description
Version 1.1 - April 3, 2019
Version 1.0 - May 18, 2017
A vulnerability exists in the MicroLogix™ 1100 controllers that, if successfully exploited, can cause a Denial of Service (DoS) condition. These controllers are used to control processes across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to this discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
- Micrologix 1000 Controllers
- 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD
VULNERABILITY DETAILS
A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a Denial of Service (DoS) condition. PCCC messages are supported on Serial as well as Ethernet communication ports. The vulnerability is due to improper handling of PCCC messages.
CVE-2017-7924 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Catalog Numbers | Suggested Actions |
| Micrologix 1100 | 1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD |
|
GENERAL SECURITY GUIDELINES
- Block all traffic to EtherNet/IP™ connected devices or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices that host them.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 18-MAY-2017 | 1.0 | Initial Release |
| 03-APR-2019 | 1.1 | Updated with IPS rule from Check Point, CVE link |
Attachments
File
KCS Status
Released
High
Published Date:
March 29, 2019
Last Updated:
February 04, 2025
CVE IDs:
CVE-2018-19282
Products:
PowerFlex 525 AC Drives
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Introduction
PowerFlex 525 AC Drives with Embedded EtherNet/IP Port Communication Denial of Service
Description
Version 1.1 - March 29, 2019
Version 1.0 – March 28, 2019
Rockwell Automation received a report from security researcher Nicholas Merle of Applied Risk regarding a communication disruption/Denial of Service vulnerability in the embedded Ethernet port of PowerFlex® 525 AC drives.
A firmware upgrade to the PowerFlex 525 drive corrects this vulnerability. We encourage affected customers to evaluate the mitigations provided below and apply the appropriate mitigations based on their deployed products. Additional details relating to the discovered vulnerability, including affected product versions and mitigation actions, are provided herein.
AFFECTED PRODUCTS
PowerFlex 525 AC Drives with Embedded EtherNet/IP Port
- Firmware revisions 5.001 and earlier
Note: The 25-COMM-E2P Dual-Port EtherNet/IP Adapter, sometimes used with the PowerFlex 525 AC Drive, is not affected by this vulnerability.
VULNERABILITY DETAILS
A remote, unauthenticated threat actor who gains access to the Ethernet network containing a PowerFlex 525 drive can repeatedly send specific CIP packets to an affected PowerFlex 525 drive. These repeated packets can result in resource exhaustion, denial of service, and/or memory corruption. The affected drive will also be in a state where new messages cannot be received by the drive over its embedded EtherNet/IP port, including over existing CIP explicit messaging connections. The resource exhaustion affects EtherNet/IP explicit messaging to the drive, including establishing new (or reestablishing lost) CIP I/O connections to the drive. However, existing CIP I/O connections to the drive will continue to operate normally. A manual reboot is required in order to restore the normal functioning of the device.
CVE-2018-19282 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected firmware revisions are encouraged to update to an available firmware revision that addresses the vulnerability. Customers who are unable to update their firmware are encouraged to employ one or more of the general security guidelines in the next section of this document.
| Product Family | Catalog Numbers | Suggested Actions |
| PowerFlex 525 AC Drives with an Embedded EtherNet/IP Port. | Catalog numbers beginning with "25B-". For more information about catalog numbers, see page 13 of the PowerFlex 520-Series Adjustable Frequency AC Drive User Manual. |
Update to firmware revision 5.002 or later (Download). |
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that CIP™ messages from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet or the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the vulnerability handling process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing Rockwell Automation and Cisco validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- Applied Risk – Rockwell Automation PowerFlex 525 Denial of Service
- [ICS-CERT/NCCIC] ICSA-19-087-01 PowerFlex 525 AC Drives
REVISION HISTORY
| Date | Version | Details |
| 28-March-2019 | 1.0 | Initial release |
| 29-March-2019 | 1.1 | Added additional publication links |
Attachments
File
KCS Status
Released
Critical
Published Date:
March 04, 2019
Last Updated:
March 04, 2019
CVE IDs:
CVE-2019-6553
Products:
RSLinx Classic (Single Node
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLinx Classic Denial of Service/Remote Code Execution Vulnerability
Description
Version 1.0 - March 04, 2019
Rockwell Automation received a report from Tenable regarding a potential vulnerability in versions of RSLinx® Classic software, which if successfully exploited, can cause memory corruption issues. A successful exploitation may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine.
RSLinx® Classic is a software solution that Allen-Bradley® Programmable Logic Controllers (PLCs) use to connect to a wide variety of software applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
RSLinx Classic, v4.10.00 and earlier
VULNERABILITY DETAILS
An input validation issue exists in a .dll file of RSLinx Classic where the data in a Forward Open service request is passed to a fixed size buffer. This buffer overflow may terminate the RSLinx.exe application causing a Denial of Service, and/or potentially allow the threat actor to remotely execute arbitrary code on the victim’s machine.
CVE-2019-6553 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned. This high CVSS score reflects the potential impact of a successful remote code execution scenario, where a threat actor is able to gain full control of the victim’s machine.
For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected software versions are encouraged to assess their level of risk and, if necessitated, update their software to an available revision that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
- Update products according to this table:
| Product Family | Catalog Numbers | Suggested Actions |
| RSLinx Classic | 9355-WABx | Currently, software patches have been released to address the following versions of RSLinx Classic: V3.60 V3.70 V3.80 V3.81 V3.90 V4.00.01 V4.10 These patches can be found at Knowledgebase Article ID: 1084828 |
- Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
- Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
- Note: In RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ICSA-19-064-01 Rockwell Automation RSLinx Classic
- Tenable Advisory: Rockwell Automation RSLinx Classic Vulnerability
REVISION HISTORY
| Date | Version | Details |
| 04-March-2019 | 1.0 | Initial Release |
Attachments
File
KCS Status
Released
Medium
Published Date:
February 06, 2019
Last Updated:
February 06, 2019
CVE IDs:
CVE-2018-19016
Products:
Ethernet/IP Connected Products, 1756 ControlLogix I/O
CVSS Scores:
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
EtherNet/IP Web Server Module SNMP Service Denial of Service
Description
Version 1.1 - Feb 06, 2019
Version 1.0 - Feb 04, 2019
Rockwell Automation received a report from researchers at Tenable regarding a potential vulnerability which affects EtherNet/IP™ Web Server modules that, if successfully exploited, can allow a threat actor to deny communication with the Simple Network Management Protocol (SNMP) service until the device can be restarted.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply them appropriately to deployed products.
AFFECTED PRODUCTS
EtherNet/IP Web Server Modules
- 1756-EWEB (includes 1756-EWEBK), v5.001 and earlier
CompactLogix™ Controller EtherNet/IP Web Server Module
- 1768-EWEB, v2.005 and earlier
VULNERABILITY DETAILS
An unauthenticated, remote threat actor could potentially send a crafted UDP packet to the affected product’s SNMP service. Improper handling of this crafted packet could result in a denial of service for SNMP; port 161 stops receiving messages until the device is power-cycled. The web UI may show that the service is running even if it is not available. The control functionality of the device is unaffected.
CVE-2018-19016 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed and, if necessary, contact their local distributor or Sales Office.
| Product Family | Catalog Numbers | Suggested Actions |
| EtherNet/IP Web Server Module | 1756-EWEB Series A, All Versions Series B, All Versions |
|
| CompactLogix EtherNet/IP Web Server Module | 1768-EWEB, All Versions |
|
NOTE: Customers are urged to evaluate their level of risk and, if necessary, contact their local distributor or Sales Office.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP messages from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the manufacturing zone by blocking or restricting access to UDP port 161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ICSA-19-036-02 Rockwell Automation EtherNet/IP Web Server Modules
- [Tenable] Rockwell Automation EWEB SNMP Denial of Service
REVISION HISTORY
| Date | Version | Details |
| 06-Feb-2019 | 1.1 | ICS-CERT and Tenable Advisory links added |
| 04-Feb-2019 | 1.0 | Initial Release |
Attachments
File
KCS Status
Released
High
Published Date:
November 27, 2018
Last Updated:
November 27, 2018
CVE IDs:
CVE-2018-18981
Products:
FactoryTalk Services Platform, Logix Designer, RSNetWorx, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, FactoryTalk VantagePoint, FactoryTalk Linx Gateway, FactoryTalk Metrics, FactoryTalk View SE, FactoryTalk Historian SE, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, Studio 5000 View Designer, FactoryTalk AssetCentre, FactoryTalk ViewPoint
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Services Platform Denial of Service
Description
Version 1.0 - November 27, 2018
Rockwell Automation received a report detailing vulnerabilities in software components that are shared by products that utilize the FactoryTalk® Services Platform. These vulnerabilities, if successfully exploited, may result in diminished communication or complete communication loss (denial of service) to the products that utilize the targeted services. FactoryTalk Services Platform consists of a suite of services, which create a services-oriented architecture (SOA). The SOA enables real-time data sharing across a range of software applications used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
FactoryTalk Services Platform, v2.90 and earlier.
Note: This vulnerability is addressed in FactoryTalk Services Platform v3.00. Additional software patches and details are provided in the Risk Mitigations and Recommended User Actions section below.
Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you have a product from the following list, you may also be affected. If you are unsure of which FactoryTalk Services Platform version is installed on your machine, see Knowledgebase Article ID 25612 for additional details.
- FactoryTalk AssetCentre
- FactoryTalk Activation Manager
- FactoryTalk Alarms & Events
- FactoryTalk Batch
- FactoryTalk eProcedure®
- FactoryTalk Gateway
- FactoryTalk Historian Site Edition (SE)
- FactoryTalk Linx (formerly: RSLinx Enterprise)
- FactoryTalk Metrics
- FactoryTalk Transaction Manager
- FactoryTalk VantagePoint®
- FactoryTalk View Machine Edition (ME) (Studio Only - no impact to PanelView Plus products)
- FactoryTalk View Site Edition (SE)
- FactoryTalk ViewPoint SE
- RSLinx® Classic
- RSLogix 5000® (v20 Only) / Studio 5000 Logix Designer®
- RSNetWorx™
- Studio 5000 Architect®
VULNERABILITY DETAILS
A remote, unauthenticated threat actor could send numerous crafted packets the following service ports: 1332, 5241, 6543, and 4241, resulting in a growth in memory consumption that could lead to a partial or complete denial of service condition to products utilizing the targeted services until the process is restarted.
CVE-2018-18981 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Currently Installed | Suggested Actions |
| FactoryTalk® Services Platform, v2.90 and earlier | Update FactoryTalk Services Platform to v3.00 and later (Download) For customers who are unable to update to V3.00, software patches have been released for the following versions: V2.74 V2.80 V2.81 V2.90 These patches can be found at Knowledgebase Article ID 1082055. |
GENERAL SECURITY GUIDELINES
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, and anti-virus/anti-malware programs.
- Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 27-Nov-2018 | 1.0 | Initial Release |
Attachments
KCS Status
Released
High
Published Date:
November 06, 2018
Last Updated:
November 06, 2018
Products:
1756 ControlLogix I/O
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix 1400 Controllers, 1756 ControlLogix EtherNet/IP Communication Modules Denial of Service
Description
Version 1.0 - November 6, 2018
Rockwell Automation received a report from ICS-CERT regarding a vulnerability that exists in certain products that, if successfully exploited, can allow a threat actor to disrupt Ethernet communication by allowing Internet Protocol (IP) configuration changes to the affected device in the system. The affected products include MicroLogix™ 1400 controllers, and 1756 ControlLogix® Ethernet/IP Communications Modules.
These products currently adhere to the ODVA EtherNet/IP standard. We have addressed the risks exposed by this specific issue, and have taken additional action with ODVA to produce a standard that improves the security protocol utilized by industrial automation devices including those developed by Rockwell Automation.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details, including affected product versions and mitigation actions, are provided herein.
AFFECTED PRODUCTS
MicroLogix 1400 Controllers
- Series A, All Versions
- Series B, v21.003 and earlier
- Series C, v21.003 and earlier
1756 ControlLogix EtherNet/IP Communications Modules
- 1756-ENBT, All Versions
- 1756-EWEB
- Series A, All Versions
- Series B, All Versions
- 1756-EN2F
- Series A, All Versions
- Series B, All Versions
- Series C, v10.10 and earlier
- 1756-EN2T
- Series A, All Versions
- Series B, All Versions
- Series C, All Versions
- Series D, v10.10 and earlier
- 1756-EN2TR
- Series A, All Versions
- Series B, All Versions
- Series C, v10.10 and earlier
- 1756-EN3TR
- Series A, All Versions
- Series B, v10.10 and earlier
VULNERABILITY DETAILS
An unauthenticated, remote threat actor could potentially send a CIP connection request to an affected device and, upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system. Reason being, the system traffic is still attempting to communicate with the device via the IP address that was overwritten.
Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update their firmware are directed towards additional risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Catalog Numbers | Suggested Actions |
| MicroLogix™ 1400 Controllers | 1766-Lxxx, Series A | No direct mitigation provided. See NOTE: below for recommended actions. |
| MicroLogix™ 1400 Controllers | 1766-Lxxx, Series B or C | 1. Apply FRN 21.004 and later (Download) 2. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes. See the MicroLogix 1400 Programmable Controllers User Manual for details. |
| 1756 EtherNet/IP Web Server Module | 1756-EWEB, All Series | No direct mitigation provided. See NOTE: below for recommended actions. |
| 1756 ControlLogix® EtherNet/IP Communications Modules | 1756-ENBT, All Versions 1756-EN2F Series A, All versions Series B, All versions 1756-EN2T Series A, All Versions Series B, All Versions Series C, All Versions 1756-EN2TR Series A, All Versions Series B, All Versions 1756-EN3TR Series A | No direct mitigation provided. See NOTE: below for recommended actions. |
| 1756 ControlLogix® EtherNet/IP Communications Modules | 1756-EN2F, Series C 1756-EN2T, Series D 1756-EN2TR, Series C 1756-EN3TR, Series B | 1. Apply FRN 11.001 and later (Download) 2. Once the new FRN is applied, enable Explicit Protected Mode. See the EtherNet/IP Network Configuration User Manual for details. |
NOTE: Customers that are sent here from the Suggested Action column above are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICS-CERT Advisory (ICSA-18-310-02)
REVISION HISTORY
| Date | Version | Details |
| 06-Nov-2018 | 1.0 | Initial Release. |
Attachments
File
KCS Status
Released
Medium
Published Date:
November 01, 2018
Last Updated:
November 01, 2018
CVE IDs:
CVE-2016-2279
Products:
1756 ControlLogix I/O
CVSS Scores:
6.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability
Description
Version 1.2 - November 1, 2018
On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley® CompactLogix™ controller platform. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public.
As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the CompactLogix™ platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.
Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.
2016-03-01 UPDATE v1.1: Rockwell Automation has identified additional products containing this vulnerability, and these products are listed below. See the Risk Mitigations section below for information on available product firmware updates.
2018-11-01 UPDATE v1.2: Rockwell Automation received a report from an external researcher identifying additional product families that contain this vulnerability. These products are listed below. Please see the Risk Mitigations section for information on available firmware updates that address these vulnerabilities.
AFFECTED PRODUCTS/TECHNOLOGIES
2016-03-01 UPDATE: Additional Products:
- 1769-L23E-QB1B, Version 20.018 and earlier (Will be discontinued in June 2016)
- 1769-L23E-QBFC1B, Version 20.018 and earlier (Will be discontinued in June 2016)
2018-11-01 UPDATE: Additional Products:
- 1756-EN2F
- Series A, All Versions
- Series B, All Versions
- 1756-EN2T
- Series A, All Versions
- Series B, All Versions
- Series C, All Versions
- Series D, Version 10.007 and earlier
- 1756-EN2TR
- Series A, All Versions
- Series B, All Versions
- 1756-EN3TR
- Series A, All Versions
- 1769-L16ER-BB1B, Version 27.011 and earlier
- 1769-L18ER-BB1B, Version 27.011 and earlier
- 1769-L18ERM-BB1B, Version 27.011 and earlier
- 1769-L24ER-QB1B, Version 27.011 and earlier
- 1769-L24ER-QBFC1B, Version 27.011 and earlier
- 1769-L27ERM-QBFC1B, Version 27.011 and earlier
- 1769-L30ER, Version 27.011 and earlier
- 1769-L30ERM, Version 27.011 and earlier
- 1769-L30ER-NSE, Version 27.011 and earlier
- 1769-L33ER, Version 27.011 and earlier
- 1769-L33ERM, Version 27.011 and earlier
- 1769-L36ERM, Version 27.011 and earlier
VULNERABILITY DETAILS
The vulnerability in the web application of the affected device allows an attacker to inject arbitrary JavaScript into an unsuspecting user’s web browser by a process known as Reflective Cross Site Scripting. The impact to the user’s automation system would be highly dependent on both the type of JavaScript exploit included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the Programmable Automation Controller or Communications module itself. Instead, they are vehicles to deliver an attack to the web browser.
A successful attack would not compromise the integrity of the device nor allow access to confidential information contained on it. On rare occasions, the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.
CVE-2016-2279 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
RISK MITIGATIONS
- The following table summarizes available mitigations for each affected product:
2018-11-01 UPDATE: Added 1756 ControlLogix Ethernet/IP Communications ModulesPlatform Catalog Number Recommendation 1756 ControlLogix® EtherNet/IP Communications Modules 1756-ENBT, All Versions
1756-EN2F
Series A, All versions
Series B, All versions
1756-EN2T
Series A, All Versions
Series B, All Versions
Series C, All Versions
1756-EN2TR
Series A, All Versions
Series B, All Versions
1756-EN3TR
Series ANo direct mitigation provided. See NOTE: below for recommended actions. 1756 ControlLogix® EtherNet/IP Communications Modules 1756-EN2F, Series C
1756-EN2T, Series D
1756-EN2TR, Series C
1756-EN3TR, Series BApply FRN 10.010 or later (Download) Small Controllers:
CompactLogix™ 5370 L1
CompactLogix™ 5370 L2
CompactLogix™ 5370 L31769-L16XX
1769-L18XX
1769-L24XX
1769-L27XX
1769-L30XX
1769-L33XX
1769-L36XX1. Apply FRN 28.011 or later (Download)
2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030CompactLogix™ Packaged Controllers 1769-L23E-QB1B
1769-L23E-QBFC1BDiscontinued as of June 2016
1.1769-L23E-QB1B: Recommend Migration to 1769-L24ER-BB1B
1769-L23E-QBFC1B: Recommend Migration to 1769-L24ER-QBFC1B
2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030NOTE: Customers using previous series of the affected 1756 EtherNet/IP catalog numbers are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Interne.
- Locate control system networks and devices behind firewalls, and isolate them from the business network
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICSA-16-061-02 Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability
REVISION HISTORY
| Date | Version | Details |
| 03-SEP-2015 | 1.0 | Initial Release |
| 01-MAR-2016 | 1.1 | Update: Additional Products |
| 01-NOV-2018 | 1.2 | Update: Additional Products and ISP Definition |
Attachments
KCS Status
Released
Published Date:
October 01, 2018
Last Updated:
October 01, 2018
Products:
Third Party, Compliance / Audit Trail / Security, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, Raise Software, RSToolPak II, FactoryTalk View SE, Interface Manager, Reporting, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, Advisor, ControlView, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSPower, Entek, RSLogix Emulate 5, PBase, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, RSPowerTools, WSIntegrate, PID Logistics 500, RSMACC, FactoryTalk VantagePoint EMI, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, 100/150 PCD, Connected Components Workbench, ComplianceTrack, RSTools, Portlets, RSBizWare Scheduler, WINtelligent Quality, PID Logistics 5, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, Activities, ETL, ERP Integration Gateway, ECO, Historical Transfer, RS PMX CTM, RSTestStand, RSWorkbench, RSBizWare Line Performance, Production Management Client, RSLadder, Data, RMA, Thin Client, DataSite Workbench, Logix Designer, FactoryTalk Integrator, AI Emulate 500, RSPower32, AI Emulate 5, Administration, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, ActiveX Control, FactoryTalk Metrics, RSChart, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), AI-100/150, PlantMetrics, API, PCO Software (6723), Reports (Out-of-box), FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Process Designer, WINtelligent Trend, RSPocketLogix, Other, Reports (Custom), 6200-PLC2, RSMailman, Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Rockwell Automation Briefing on "Meltdown" and "Spectre" vulnerabilities.
Description
Version 1.8 - October 1, 2018
Version 1.7 - February 14, 2018
Version 1.6 - February 6, 2018
Version 1.5 - February 2, 2018
Version 1.4 - January 26, 2018
Version 1.3 - January 23, 2018
Version 1.2 - January 18, 2018
Version 1.1 - January 10, 2018
Version 1.0 - January 8, 2018
On January 3, 2018, a set of new hardware kernel level vulnerabilities, named "Meltdown" and "Spectre", were announced by researchers. Both Spectre and Meltdown are vulnerabilities that affect modern microprocessors allowing malicious processes to access the contents of restricted memory and therefore affect multiple generations of Central Processing Units (CPUs).
Rockwell Automation is aware of these vulnerabilities and of how they could, if exploited, potentially impact our customers’ environments. Rockwell Automation is diligently working through the process of evaluating how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate third party microprocessors. Rockwell Automation will continue to provide updated information as soon as reliable performance tests are completed.
AFFECTED PRODUCTS
Rockwell Automation Products
Rockwell Automation is currently investigating its product portfolio in order to identify which of its products may be directly affected by the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation, and will update this advisory if necessary.
UPDATE: Oct 01, 2018
Rockwell Automation has released new BIOS for certain Industrial Environment Computers that address the Meltdown and Spectre vulnerabilities. See below for details.
UPDATE: Feb 06, 2018
As of this writing, Rockwell Automation has evaluated many of our product families. Depending on the products’ architectures, effects of the Meltdown and Spectre vulnerabilities may significantly vary. Below is more information on Rockwell Automation’s evaluation.
NOTE: Rockwell Automation may continue to evaluate additional products that we suspect to be affected and will update this advisory accordingly.
I. Rockwell Automation has concluded that the following Active or Active Mature products contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Please see Knowledgebase Article ID 1071234 for detailed information about which Rockwell Automation-qualified Microsoft patches to apply to your products based on the Windows Operating System in use. As BIOS updates become available, Rockwell Automation will continue to update this advisory. The products are as follows:
| Product Family | Affected Versions | Bul. # |
| 6181X Hazardous Location Computers | Series H, All Versions | Bul. 6181X |
| 6181P Integrated Display Computers | Series F, All Versions | Bul. 6181P |
| 6177R Non-Display Computers | Series C, All Versions | Bul. 6177R |
| VersaView® 5400 Industrial Computers | Series A, All Versions | Bul. 6200P |
| VersaView® 5200 ThinManager® Thin Clients | Series A, All Versions | Bul. 6200T |
In addition, Rockwell Automation has also determined the following discontinued products are similarly affected. Customers with discontinued products are encouraged to contact their local distributor or Sales Office to discuss a migration path to Active product lines.
| Product Family | Affected Versions | Bul. # |
| 6181X Hazardous Location Computers | Series E, F, G, All Versions | Bul. 6181X |
| 6181P Integrated Display Computers | Series A-E, All Versions | Bul. 6181P |
| 6177R Non-Display Computers (750R & 1450R) | Series A, B, All Versions | Bul. 6177R |
| 6155R/F Compact Non-Display Computers (200R) | All Versions | Bul. 6155R & Bul. 6155F |
| 6180P Integrated Display Computer with Keypad (1200P & 1500P) | All Versions | Bul. 6180P |
| 6180W VersaView Industrial Workstations (1200W & 1500W) | All Versions | Bul. 6180W |
| 6181F Integrated Display Computer (NDM, 1200P, 1500P, 1700P) | All Versions | Bul. 6181F |
| 6181H Integrated Display Computer (1500P) | All Versions | Bul. 6181H |
| 6183H Hazardous Location Computer (1200P) | All Versions | Bul. 6183H |
Please see the Microsoft Patch Qualification section below for additional mitigation strategies.
II. The following products are Active or Active Mature and contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. However, as a result of the product architecture, Rockwell Automation has concluded that the Meltdown and Spectre vulnerabilities do not pose a significant risk to these products:
| Product Family | Affected Versions | Bul. # |
| ControlLogix® 5580 Controllers | All Versions | • 1756-L8 |
| 5069 CompactLogix™ 5380 Controllers | All Versions | • 5069-L3 |
| 5069 Compact I/O™ EtherNet/IP Adapters | All Versions | • 5069-AENTR • 5069-AEN2TR |
| 5069 Compact I/O™ Modules | All Versions | • 5069-Ix • 5069-Ox |
| ControlLogix® EtherNet/IP Modules | All Versions | • 1756-EN2F, Series C • 1756-EN2T, Series D • 1756-EN2TP, Series A • 1756-EN2TR, Series C • 1756-EN2TRXT, Series C • 1756-EN2TSC, Series B • 1756-EN2TXT, Series D • 1756-EN2TK, Series D • 1756-EN2TRK, Series C |
| FactoryTalk® Analytics for Devices | All Versions | • 6200P-NS3C6 |
| FactoryTalk® Historian Machine Edition (ME) Module | All Versions | • 1756-HIST |
| PowerFlex® 755T Drive Solutions | All Versions | • Bul. 20G |
| Kinetix® 5700 Modules (Single Axis, Double Axis) | All Versions | • 2198-Sxxx • 2198-Dxxx |
| PowerFlex® 750 Series EtherNet/IP Option Module - Dual Port | All Versions | • 20-750-ENETR |
| PowerFlex® 750 Series Safe Speed Monitor Option Module | All Versions | • 20-750-S1 |
| PowerFlex® 527 Compact-Class AC Drives | All Versions | • Bul. 25C |
| PowerFlex® 753 Architecture-Class AC Drives | All Versions | • Bul. 20F |
| PowerFlex® 7000 Medium Voltage AC Drives | All Versions | • Catalogs 7000, 7000A, 7000L |
| PowerFlex® 6000 Medium Voltage AC Drives | All Versions | • Catalogs 6000, 6000U |
| PanelView™ 5310 Operator Interface Terminal | All Versions | • 2713P-xx |
| PanelView™ Plus 7 Standard | All Versions | • 2711P-XXXXXXXX8S |
| PanelView™ 5500 | All Versions | • 2715-xx |
| PanelView™ Plus 7 Performance | All Versions | • 2711P-XXXXXXXX9P |
| PanelView™ Plus 6 400-600 | All Versions | • 2711P-X*XXX8 and 2711P-X*XXX9 |
| PanelView™ Plus 6 Compact 400 and 600 | All Versions | • 2711PC-X4XXXD8 • 2711PC-X6XXXD8 |
| MobileView™ | All Versions | • 2711T-B10I1N1 • 2711T-B10R1K1 • 2711T-B10R1M1 • 2711T-F10G1N1 • 2711T-T10G1N1 • 2711T-T10R1N1 |
III. Lastly, Rockwell Automation has concluded that the following products do not to contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Therefore these products are not affected by the reported vulnerabilities.
| Product Family | Bul. # |
| ControlLogix® 5570 Controllers | • 1756-L7 |
| GuardLogix® 5570 Controllers | • 1756-L7S |
| ControlLogix® 5560 Controllers | • 1756-L6 |
| GuardLogix® 5560 Controllers | • 1756-L6S |
| ControlLogix® L55 Controllers | • 1756-L55x |
| CompactLogix™ 5370 L1, L2, L3 | • 1769-L1 • 1769-L2 • 1769-L3 |
| ControlLogix® EtherNet/IP Modules | • 1756-ENBT |
| ControlLogix® Web Server Modules | • 1756-EWEB |
| 1769 CompactLogix™ L23x Controllers | • 1769-L23 |
| 1769 CompactLogix™ L3x Controllers | • 1769-L31 • 1769-L32 • 1769-L35 |
| 1768 CompactLogix™ L4x Controllers | • 1768-L4x |
| PanelView™ Plus 6 700-1500 | • 2711P-X*XXX8 and 2711P-X*XXX9 (where * is either 7, 10, 12, or 15) |
| PanelView™ Plus 6 Compact 1000 | • 2711PC-T10C4D8 |
| Kinetix 5500 Servo Drives | • 2198-Hxxx |
| Stratix® 8000 Modular Managed Switches | • 1783-MS |
| Stratix® 8300 Modular Managed Switches | • 1783-RMS |
| Stratix® 5400 Industrial Ethernet Switches | • 1783-HMS |
| Stratix® 5410 Industrial Distribution Switches | • 1783-IMS |
| Stratix® 5700 Industrial Managed Ethernet Switches | • 1783-BMS |
| ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments | • 1783-ZMS |
| Stratix® 2500 Lightly Managed Switches | • 1783-LMS |
| Stratix® 5900 Services Router | • 1783-SRKIT |
| Stratix® 5950 Security Appliance | • 1783-SAD |
| Stratix® 5100 Wireless Access Point/Workgroup Bridge | • 1783-WAP |
| PowerFlex® 523 Compact-Class AC Drives | • Bul. 25A |
| PowerFlex® 525 Compact-Class AC Drives | • Bul. 25B |
| PowerFlex® 4M Compact-Class AC Drives | • Bul. 22F |
| PowerFlex® 40 Compact-Class AC Drives | • Bul. 22B |
| PowerFlex® 40P Compact-Class AC Drives | • Bul. 22B |
| PowerFlex® 400 Compact-Class AC Drives | • Bul. 22C |
| PowerFlex® 70 Architecture-Class AC Drives | • Bul. 20A |
| PowerFlex® 700 Architecture-Class AC Drives | • Bul. 20B |
| PowerFlex® 700L Architecture-Class AC Drives | • Bul. 20L |
| PowerFlex® 700S Architecture-Class AC Drives | • Bul. 20D |
| ArmorStart® Distributed Motor Controllers | • Bul. 280 • Bul. 281 • Bul. 283 • Bul. 284 |
| ArmorStart® LT Distributed Motor Controller | • Bul. 290 • Bul. 291 • Bul. 294 |
| ArmorStart® ST Motor Controllers: Safety and Standard Versions | • Bul. 281E • Bul. 284E |
| Mega DySC® Three-Phase Voltage Sag Correction System | • Bul. 1608M |
| Mini DySC® Single-Phase Voltage Sag Correction | • Bul. 1608N |
| ProDySC® Three-Phase Voltage Sag Correction | • Bul. 1608P |
UPDATE: Oct 01, 2018
A new BIOS was released to address the Meltdown and Spectre vulnerabilities that affect these specific series for the following products:
| Product Family | Bul. # | Series with new BIOS |
| 6181X Hazardous Location Computers | Bul. 6181X | Series H, All Versions |
| 6181P Integrated Display Computers | Bul. 6181P | Series F, All Versions |
| 6177R Non-Display Computers | Bul. 6177R | Series C, All Versions |
The new BIOS is available for download in the Product Compatibility and Download Center (PCDC). To find the new BIOS, search for each individual catalog number and go to the download page for the corresponding series listed above. Note that there is only one BIOS version available on PCDC under each of these products; this BIOS version that is available is the updated version that addresses the Meltdown and Spectre vulnerabilities.
UPDATE: Jan 10, 2018
Industrial Data Center (IDC)
Rockwell Automation is currently working with its software and hardware partners that make up the E1000, E2000 and E3000 Industrial Data Center (IDC) solution to obtain appropriate patches and updates to address the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation and provide updates in Knowledgebase Article ID 1071279. For IDC customers with a monitoring and administration contract, please contact Tech Support for assistance with this issue.
Microsoft Patch Qualification
Microsoft has released guidance for Windows Client and Windows Server Operating Systems. As of this writing, the Rockwell Automation MS Patch Qualification team is currently executing their validation processes on security updates related to the "Meltdown" and "Spectre" vulnerabilities. When these tests have been successfully completed, the test results will be made available through the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.
UPDATE: Feb 14, 2018
Rockwell Automation evaluated the performance of FactoryTalk® View Site Edition and FactoryTalk® View Point actions on Windows systems updated with the Microsoft Meltdown and Spectre updates. Many factors are involved in affecting the performance of systems with these mitigations; these can include but are not limited to the CPU version, the age of the operating system, and the burden of the workload on the system. In addition to the performance data provided below, customers may also find the Microsoft blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems helpful, as it provides rough estimates on the performance impact as it relates to the class of CPU and the Windows operating system.
FactoryTalk View SE
Test Environment
| Rockwell Automation:Test Setup Information | ||
| Server Details | Client Details | |
| OS | Windows Server 2008 R2 Standard SP1 | Windows 7 Pro SP1 |
| CPU | Intel E5-2699A v4 @ 2.4GHz, 1 socket, 4 cpus/socket | Intel E5-2699A v4 @ 2.4GHz, 1 socket, 4 cpus/socket |
| RAM | 8GB | 8GB |
| Tested Version | 10.00.00.290 | 10.00.00.290 |
| Microsoft Patches Installed | KB4056894: January Monthly Roll-up | KB4056894: January Monthly Roll-up |
Test Results
| Operating System | Test Case: Display Update Rate | Before Patch: Avg (seconds) | After Patch: Avg (seconds) | Change (%) |
| Windows 7 Pro SP1 x64 | Load Display with 3000 numeric values (HMI tags) | 1 | 1.1 | 10.000% |
| Load Display with 3000 numeric values (Direct Reference tags) | 1.4 | 1.2 | -14.286% | |
| Load Display with 3000 animations | 3 | 4.3 | 43.333% | |
| Download 3000 tags from recipe | 17.9 | 23.5 | 31.285% | |
| Windows 2008 R1 Std | Load Display with 3000 numeric values (HMI tags) | 1.1 | 1.2 | 9.091% |
| Load Display with 3000 numeric values (Direct Reference tags) | 1.3 | 1.1 | -15.385% | |
| Load Display with 3000 animations | 3.3 | 4.4 | 33.333% | |
| Download 3000 tags from recipe | 18.4 | 17.2 | -6.522% |
FactoryTalk ViewPoint
Test Environment
| Rockwell Automation:Test Setup Information | ||
| Server Details | Client Details | |
| OS | Windows Server 2008 R2 Standard SP1 64-bit | Windows 7 Enterprise SP1 64-bit |
| CPU | Intel Xeon CPU E5-1607 v3 @3.10GHz | Intel Core i3-4150 CPU @3.50GHz |
| RAM | 8GB | 4GB |
| Browser | N/A | Chrome v63.0.3239.84 |
| Tested Version | 10.00.00.290 | 10.00.00.290 |
| Microsoft Patches Installed | KB4056894: January Monthly Roll-up | KB4056894: January Monthly Roll-up |
Test Results
| Overview: Test Case | Details | Before Patch: Avg (seconds) | After Patch: Avg (seconds) | Change (%) |
| Switching displays, recording loading time for each display | Overview Display | 2.78 | 2.85 | 2.518% |
| Image Heavy Display | 3.15 | 3.90 | 23.810% | |
| Data Heavy Display | 2.18 | 2.51 | 15.138% | |
| Recording 10,000 recipes downloading and refreshing time | Download 10,000 recipes | 96.54 | 98.96 | 2.507% |
| Refresh 10000 recipes | 18.22 | 17.80 | -2.305% | |
| Color Animation Blinking Rate (Rate = 1 second) | Blink Rate (actual) | 1.16 | 1.19 | 2.586% |
| Color Animation Blinking Rate (Rate = 0.5 second) | Blink Rate (actual) | 0.71 | 0.77 | 8.451% |
| Recording time for 2000 Alarm Trigger | Recording Time for 2000 Alarm Trigger | 10.38 | 10.57 | 1.830% |
| Rendering time for 1000 Tags | Rendering Time for 1000 Tags | 2.29 | 2.45 | 6.987% |
UPDATE: Feb 2, 2018
Knowledgebase Article ID 1071234 has been updated to include new patches for Windows 10 that have been qualified by the Rockwell Automation MS Patch Qualification team.
UPDATE: Jan 26, 2018
As of January 26, 2018, the Rockwell Automation MS Patch Qualification team has successfully qualified several Microsoft patches related to the "Meltdown" and "Spectre" vulnerabilities. For detailed and useful information about which qualified Microsoft patches to apply based on your Windows Operating System, please see Knowledgebase Article ID 1071234 under "Solution". Rockwell Automation will continue to test Microsoft patches related to "Meltdown" and "Spectre" and will update Knowledgebase Article ID 1071234 accordingly.
Note: Applying certain Microsoft patches released in early January have been found to cause anomalous behavior in several Rockwell software products, including Studio 5000, FactoryTalk View SE, and RSLinx Classic. If you have been experiencing software issues after installing a Microsoft update to patch "Meltdown" and "Spectre", and/or you would like to see a list of patches known to cause this irregular behavior, please see Knowledgebase Article ID 1071234.
Additionally, Rockwell Automation recommends:
- Contact your PC/Server vendor for any associated firmware updates that may also be required to further reduce risk.
- Before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.
Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, Knowledgebase Article ID 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring additional updates from both Microsoft and your PC/Server vendor(s).
GENERAL SECURITY GUIDELINES
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- Microsoft: ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities
- Microsoft: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
- Microsoft: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
- Security Advisory Index, Knowledgebase Article ID 54102
- Microsoft: KB4056897 2018-01 Security-only Update for Windows Server 2008 R2 SP1 and Windows 7 SP1
- Microsoft: KB4056894 2018-01 Monthly Rollup for Windows Server 2008 R2 SP1 and Windows 7 SP1
- Microsoft: KB4057401 2018-01 Preview of Monthly Rollup for Windows 8.1, Windows Server 2012 R2 Standard
- Microsoft: KB4057142 2018-01 Cumulative Update for Windows Server 2016
REVISION HISTORY
| Date | Version | Details |
| 01-Oct-2018 | 1.8 | Update: Patches for Industrial PCs |
| 14-Feb-2018 | 1.7 | Update: FactoryTalk Software Performance Statistics |
| 06-Feb-2018 | 1.6 | Update: Affected Hardware Products Listed |
| 02-Feb-2018 | 1.5 | Update: Windows 10 Patch Qualification Information posted to Article ID 1071234. |
| 26-Jan-2018 | 1.4 | Update: Moved and clarified location for MS Patch Qualification details (Article ID 1071234). |
| 23-Jan-2018 | 1.3 | Update: Microsoft Patch Qualification for Windows 8.1, Windows Server 2012 R2 / Windows Server 2012 R2 SP1, and Windows Server 2016. |
| 18-Jan-2018 | 1.2 | Update: Microsoft Patch Qualification for Windows 7 and Windows Server 2008 R2. |
| 10-Jan-2018 | 1.1 | Update: Affected Products. |
| 05-Jan-2018 | 1.0 | Initial release. |
KCS Status
Released
Critical
Published Date:
September 20, 2018
Last Updated:
September 20, 2018
CVE IDs:
CVE-2018-14829, CVE-2018-14827, CVE-2018-14821
Products:
RSLinx Classic (Single Node
CVSS Scores:
7.5, 10.0, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLinx Classic Heap and Buffer Overflow Vulnerabilities
Description
Version 1.0 - September 20, 2018
Rockwell Automation received reports regarding potential vulnerabilities in certain versions of RSLinx® Classic that, if successfully exploited, can cause memory corruption issues which may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine. One of these reports was received from Tenable, a cybersecurity software vendor. RSLinx® Classic is a software solution that allows Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a human machine interface (HMI).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
RSLinx Classic, v4.00.01 and earlier
VULNERABILITY DETAILS
Rockwell Automation received these reports from Tenable, a cybersecurity software vendor, and ICS-CERT, . The report from Tenable contained details regarding Vulnerability #1 and Vulnerability #2. The report from ICS-CERT contained details regarding Vulnerability #3.
Vulnerability #1: Stack Overflow
This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.
CVE-2018-14829 has been assigned to his vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Vulnerability #2: Heap Overflow
This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.
CVE-2018-14821 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Vulnerability #3: Denial of Service
A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.
CVE-2018-14827 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected controllers are encouraged to update their software with an available patch that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
- Update products according to this table:
| Product Family | Catalog Numbers | Suggested Actions |
| RSLinx Classic | 9355-WABx | Currently, software patches have been released to address the following versions of RSLinx Classic. V3.60 V3.74 V3.80 V3.81 V3.90 V4.00.01 These patches can be found at Knowledgebase Article ID 1075712. |
- Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
- Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
- Note: In the next release of RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.
- Note: Applying the patch will not change the state of the "Accept UDP Messages on Ethernet Port" setting.
GENERAL SECURITY GUIDELINES
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- [ICS-CERT/NCCIC] ISA-18-263-02 Rockwell Automation RSLinx Classic
REVISION HISTORY
| Date | Version | Details |
| 20-Sept-2018 | 1.0 | Initial Release |
Attachments
KCS Status
Released
Published Date:
September 20, 2018
Last Updated:
September 20, 2018
Products:
Ethernet/IP Connected Products
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Advisory on web search tools that identify ICS devices and systems connected to the Internet
Description
Version 1.1 - September 20, 2018
SUMMARY
This Industrial Security Advisory is intended to raise the awareness to control system owners and operators of increased risks that stem from publicly-available web search tools that identify Internet-connected devices. These types of tools and search utilities can be used for legitimate research purposes; however, they also bear a potential for misuse by threat actors seeking to gather added intelligence about prospective cyber targets.
Rockwell Automation recognizes the potential risk to any device connected in a network that is accessible by unauthorized people, whether the device is isolated within a protected facility or if it is accessible through a remote connection, including the Internet. We are aware that such Internet search tools have the ability to identify Rockwell Automation branded products that are connected, either intentionally or unintentionally by the device owners to the Internet. For this reason, recommendations to mitigate associated risks are provided herein.
BACKGROUND
Web-based tools, including SHODAN and the Every Routable IP Project (ERIPP) provide a means for users to discover information about networked devices that are either knowingly or unknowingly connected to the Internet. Such connected products include, but are not limited to: web servers, routers, webcams, smart phones, VoIP phones, printers and in some cases industrial control products.
The information collected by these search tools about these Internet-facing devices includes device IP addresses and can also include geographic location (i.e. country, city and approximate latitude/longitude), specific product identity information or user-added descriptors that can be learned through device fingerprinting techniques. Some of these tools also provide a means to both search and filter databases for devices that match specific user-defined search criteria.
POTENTIAL RISK to INDUSTRIAL CONTROL DEVICES and SYSTEMS
Many devices cataloged by these search tools have been designed and installed with the full knowledge they are directly connected to the Internet; however, other devices identified by these tools were not intended by the manufacturer, or potentially the device installer to ever carry a direct connection.
As with all networked device and systems, industrial control systems are at risk of both accidental and potentially malicious attacks. The availability of search tools that simplify the process of locating and identifying devices unintentionally connected to the Internet raises associated risk to these devices and systems. It is evident based on the device information that some of these devices and accompanying systems lack recommended security protections facilitated by good security design and infrastructure-level appliances (e.g. firewalls, SIEMs, and intrusion detection systems).
As a consequence, these types of devices and systems may not operate with obscurity and may become exposed to additional unintended risks. Information provided through search tools could aid a curious individual or malicious threat actor in device-tampering activities or even a penetration into the product or connected system in order to facilitate a cyberattack.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Whether or not Internet-facing industrial control devices are identified by these tools, Rockwell Automation encourages all industrial control system (ICS) owners and operators to follow good security design practices.
These practices must also include careful evaluation and monitoring of all industrial control system connection points to an enterprise system and external remote access connections enabled via modems or direct connections to the Internet.
We recommend concerned customers remain vigilant and continue to follow sound security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest customers apply some of the following recommendations and complement this list with their own best-practices:
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
- If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
- Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
- Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
- Make sure that software and control system device firmware is patched to current releases.
- Periodically change passwords in control system components and infrastructure devices.
- Where applicable, set the controller key-switch/mode-switch to RUN mode.
- Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01
- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-11-343-01A
REVISION HISTORY
| Date | Version | Details |
| 20-SEP-2018 | 1.1 | Updated to fix broken links |
| 18-JUL-2012 | 1.0 | Initial Release |
Attachments
KCS Status
Released
Critical
Published Date:
July 20, 2018
Last Updated:
July 20, 2018
CVE IDs:
CVE-2017-13754, CVE-2015-8277
Products:
FactoryTalk Transaction Manager, Logix Designer, RSNetWorx, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, FactoryTalk Linx Gateway, FactoryTalk Metrics, FactoryTalk EnergyMetrix, RSLinx Classic (Single Node, RSLogix 5, FactoryTalk Activation, Studio 5000 View Designer, Logix Emulate, FactoryTalk AssetCentre, FactoryTalk Historian SE, RSLogix 500
CVSS Scores:
2.7, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Activation Manager Vulnerabilities
Description
Version 1.2 - July 20, 2018
Version 1.1 - May 29, 2018
Version 1.0 - April 12, 2018
Two vulnerabilities were discovered in components distributed with every installation of FactoryTalk® Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell software products. One vulnerability exists in certain versions of Wibu-Systems CodeMeter; the second vulnerability is in certain versions of Flexera Software FlexNet Publisher, both are license management software.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and include the applicable mitigations in their deployed products. Additional details relating to the vulnerability, including affected products and recommended countermeasures, are provided herein.
UPDATE: July 20, 2018
Cisco has released several Snort Rules to addressing the Flexera software vulnerability. See the Risk Mitigations and Recommended User Actions section for more details.
AFFECTED PRODUCTS
FactoryTalk Activation Manager v4.00.02 and v4.01
- Includes Wibu-Systems CodeMeter v6.50b and earlier
FactoryTalk Activation Manager v4.00.02 and earlier
- Includes FlexNet Publisher v11.11.1.1 and earlier
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who recognize products from the following list are using FactoryTalk Activation Manager.
- Arena®
- Emonitor®
- FactoryTalk® AssetCentre
- FactoryTalk® Batch
- FactoryTalk® EnergyMetrix™
- FactoryTalk® eProcedure®
- FactoryTalk® Gateway
- FactoryTalk® Historian Site Edition (SE)
- FactoryTalk® Historian Classic
- FactoryTalk® Information Server
- FactoryTalk® Metrics
- FactoryTalk® Transaction Manager
- FactoryTalk® VantagePoint®
- FactoryTalk® View Machine Edition (ME)
- FactoryTalk® View Site Edition (SE)
- FactoryTalk® ViewPoint
- RSFieldBus™
- RSLinx® Classic
- RSLogix 500®
- RSLogix 5000®
- RSLogix™ 5
- RSLogix™ Emulate 5000
- RSNetWorx™
- RSView®32
- SoftLogix™ 5800
- Studio 5000 Architect®
- Studio 5000 Logix Designer®
- Studio 5000 View Designer®
- Studio 5000® Logix Emulate™
VULNERABILITY DETAILS
Vulnerability #1: CodeMeter Cross-Site Scripting
A Cross-Site Scripting ("XSS") vulnerability was found in certain versions of Wibu-Systems CodeMeter that may allow local attackers to inject arbitrary web script or HTML via a specific field in a configuration file, potentially allowing the attacker to access sensitive information, or even rewrite the content of the HTML page.
CVE-2017-13754 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 2.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N0/I:L/A:N
Vulnerability #2: FlexNet Publisher Remote Code Execution
A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow.
CVE-2015-8277 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers with affected versions of CodeMeter and/or FlexNet Publisher that were installed with FactoryTalk Activation Manager are encouraged to review the table below for suggested actions that will address the risks associated with these vulnerabilities.
| Currently Installed | Suggested Actions |
| FactoryTalk Activation Manager v4.01 and earlier | Update FactoryTalk Activation Manager to V4.02 and later. If unable to update FactoryTalk Activation Manager to V4.02, update CodeMeter to the latest version of CodeMeter that is compatible with FactoryTalk Activation Manager. For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibilty and Download Center (PCDC) Standard Views > Software Latest Versions > FactoryTalk Activation. UPDATE: July 20, 2018 Cisco has released Snort Rule 38246, Snort Rule 38247. |
Customers are encouraged, when possible, to combine the updates above with these general security guidelines to employ multiple strategies simultaneously.
GENERAL SECURITY GUIDELINES
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Wibu Systems AG CodeMeter 6.50b - Persistent XSS Vulnerability (From SecurityFocus)
- Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability (From the Vulnerability Notes Database)
- ICS-CERT Advisory (ICSA-18-102-02) Rockwell Automation FactoryTalk Activation Manager
REVISION HISTORY
| Date | Version | Details |
| 20-July-2018 | 1.2 | Added Snort Rules for FlexNet Publisher |
| 29-May-2018 | 1.1 | ICS-CERT Advisory Link Added |
| 12-Apr-2018 | 1.0 | Initial Release |
Attachments
KCS Status
Released
High
Published Date:
June 07, 2018
Last Updated:
June 07, 2018
CVE IDs:
CVE-2018-10619
Products:
FactoryTalk Linx Gateway, RSLinx Classic (Single Node
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation through Unquoted Service Path
Description
Version 1.0 - June 07, 2018
An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Rockwell Automation® received a report from Gjoko Krstic of Zero Science Lab that certain versions of RSLinx® Classic and FactoryTalk® Linx™ Gateway (previously known as FactoryTalk Gateway) are potentially susceptible to this vulnerability. RSLinx Classic is two software solutions that allow Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI). FactoryTalk Linx Gateway is software that provides an OPC UA server interface to allow the delivery of information from Rockwell Software applications to Allen-Bradley controllers.
Rockwell Automation has provided a software update containing the remediation for this vulnerability. For previous versions of this software, a series of steps to mitigate this vulnerability have been provided. Further details about this vulnerability, as well as recommended countermeasures, are contained below.
AFFECTED PRODUCTS
RSLinx Classic, V3.90.01 and earlier
FactoryTalk Linx Gateway, V3.90.00 and earlier
VULNERABILITY DETAILS
Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged local user to execute arbitrary code of the threat actor’s choosing on the affected workstation. This vulnerability could also potentially allow a threat actor to escalate user privileges on the affected workstation. A well-defined service path enables Windows to easily find the path to a service by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and the threat actor could drop a malicious executable once an unquoted service path is discovered.
CVE-2018-10619 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected versions of RSLinx Classic, FactoryTalk Linx and/or FactoryTalk Gateway OPC are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Product Family | Catalog Numbers | Suggested Actions |
| RSLinx Classic | 9355-WABx | Update to v4.00.01 or later (Download) |
| FactoryTalk Linx Gateway | 9355-LNXGWxxxENx 9355-OPDxxxxLENx 9355-OPDxxxxENx | Update to FactoryTalk Linx Gateway v6.00.00 or later (Download) |
- If unable to upgrade to the latest version visit Knowledgebase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and describes the process of implementing these edits.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
GENERAL SECURITY GUIDELINES
- Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
- Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- 546987 - Rockwell Automation Customer Hardening Guidelines
- ICS-CERT Advisory: Rockwell Automation Classic and FactoryTalk Linx Gateway
REVISION HISTORY
| Date | Version | Details |
| 07-June-2018 | 1.0 | Initial release. |
KCS Status
Released
Medium
Published Date:
May 10, 2018
Last Updated:
May 10, 2018
Products:
Arena
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Arena Simulation Software Denial of Service
Description
Version 1.0 – May 10, 2018
Rockwell Automation received a report from Ariele Caltabiano at Zero Day Initiative regarding a potential vulnerability in certain versions of Arena® Simulation Software for Manufacturing that, if successfully exploited, can cause a crash of the software application (Denial of Service) and cause a user to potentially lose unsaved data. Arena is a simulation software that helps customers analyze business ideas, rules, and strategies before real-life implementation in their business and control systems.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and implement the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
Arena Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 15.10.00 and earlier
VULNERABILITY DETAILS
If a maliciously crafted Arena file (meaning the content of the file is invalid, unexpected, and/or random) is sent to an unsuspecting victim who is tricked (via social-engineering techniques) into opening the file in Arena, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena to continue use.
Note: There are also valid reasons why a file may not open in Arena. To learn more about these circumstances, please see Article ID 1073702.
Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
RISK MITIGATIONS AND RECOMMENDED USER ACTIONS
Customers using the affected versions of Arena are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.
- Customers using Arena v15.00.00 or earlier are encouraged to update Arena to v15.10.01 or later (Download).
- Do not open untrusted .doe files with Arena Simulation Software.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
REVISION HISTORY
| Date | Version | Details |
| 10-May-2018 | 1.0 | Initial release. |
KCS Status
Released
Critical
Published Date:
April 16, 2018
Last Updated:
April 16, 2018
CVE IDs:
CVE-2018-0174, CVE-2018-0171, CVE-2018-0167, CVE-2018-0175, CVE-2018-0173, CVE-2018-0172, CVE-2018-0158, CVE-2018-0156
Products:
ArmorStratix 5700 Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
8.8, 9.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5400/5410/5700/8000 Denial of Service and Remote Code Execution Vulnerabilities
Description
Version 1.0 - April 16, 2018
On March 28, 2018, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley Stratix® and ArmorStratix™ products.
These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.
Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.
AFFECTED PRODUCTS
- Allen-Bradley Stratix 5400 Industrial Ethernet Switches, versions 15.2(6)E0a and earlier
- Allen-Bradley Stratix 5410 Industrial Distribution Switches, versions 15.2(6)E0a and earlier
- Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches, versions 15.2(6)E0a and earlier
- Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches, versions 15.2(6)E0a and earlier
- Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments, versions 15.2(6)E0a and earlier
Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.
VULNERABILITY DETAILS
Vulnerability #1: Smart Install Remote Code Execution
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.
The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:
- Triggering a reload of the device
- Allowing the attacker to execute arbitrary code on the device
- Causing an indefinite loop on the affected device that triggers a watchdog crash
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2.
A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2018-0171 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Vulnerability #2: Smart Install Denial of Service Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi.
CVE-2018-0156 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #3: DHCP Version 4 Relay Denial of Service
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3.
CVE-2018-0174 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #4: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the affected device, which will cause the device to reload and result in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1.
CVE-2018-0172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #5: DHCP Version 4 Relay Reply Denial of Service Vulnerability
A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2.
CVE-2018-0173 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #6: Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition.
The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike.
CVE-2018-0158 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.
Link Layer Discovery Protocol Buffer Overflow Vulnerability
A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.
Link Layer Discovery Protocol Format String Vulnerability
A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.
CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.
- Update the affected products per the table below:
| Product Family | Affected Versions | Updates Available |
| Stratix 5400 Industrial Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E1 or later (Download) |
| Stratix 5410 Industrial Distribution Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E1 or later (Download) |
| Stratix 5700 Industrial Managed Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E1 or later (Download) |
| Stratix 8000 Modular Managed Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E1 or later (Download) |
| ArmorStratix 5700 Industrial Managed Ethernet Switches | 15.2(6)E0a and earlier | Apply FRN 15.2(6)E1 or later (Download) |
- Cisco has offered additional information and mitigations for these vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.
| Vulnerability | Workaround (if available) | Other Notes |
| #1: Smart Install Remote Code Execution Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46096 and Snort Rule 46097. See "Smart Install Notes" below for additional Smart Install information/recommendations. |
| #2: Smart Install Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 41725. See "Smart Install Notes" below for additional Smart Install information/recommendations. |
| #3: DHCP Version 4 Relay Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46120. |
| #4: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46104. |
| #5: DHCP Version 4 Relay Reply Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46119. |
| #6: Internet Key Exchange Memory Leak Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46110. |
| #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities | There are no workarounds that address this vulnerability. | N/A |
Smart Install Notes: For the Smart Install vulnerabilities (#1 and #2):
- Smart Install is turned off by express setup, however upgraded switches but not re-setup may have it enabled.
- Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
- Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786.
GENERAL SECURITY GUIDELINES
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- [Cisco] March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
- [Cisco] Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client
- [US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICSA-18-107-04: Rockwell Automation Stratix and ArmorStratix Switches
REVISION HISTORY
| Date | Version | Details |
| 16-Apr-2018 | 1.0 | Initial Release |
KCS Status
Released
Critical
Published Date:
April 16, 2018
Last Updated:
April 16, 2018
CVE IDs:
CVE-2018-0151, CVE-2018-0175, CVE-2018-0167, CVE-2018-0158
Products:
Stratix 5900 Services Router
CVSS Scores:
8.8, 9.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5900 Denial of Service and Remote Code Execution Vulnerabilities
Description
Version 1.0 - April 16, 2018
On March 28, 2018 Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley® Stratix® and ArmorStratix™ products.
These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.
Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.
AFFECTED PRODUCTS
- Allen-Bradley Stratix 5900 Services Router, version 15.6.3M1 and earlier
VULNERABILITY DETAILS
Vulnerability #1: Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition.
The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike.
CVE-2018-0158 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #2: Quality of Service Remote Code Execution Vulnerability
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.
The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code on the affected device with elevated privileges. The attacker could also leverage this vulnerability to cause the device to reload, causing a temporary DoS condition while the device is reloading.
The malicious packets must be destined to and processed by an affected device. Traffic transiting a device will not trigger the vulnerability.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos.
CVE-2018-0151 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Vulnerability #3 and #4: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.
Link Layer Discovery Protocol Buffer Overflow Vulnerability
A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.
Link Layer Discovery Protocol Format String Vulnerability
A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.
CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using affected versions of these Stratix products are encouraged to review and apply available mitigations to address the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.
- Cisco has offered the following information and mitigations for these vulnerabilities that are applicable.
| Vulnerability | Workaround (if applicable) | Other Notes |
| #1: Internet Key Exchange Memory Leak Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46110. |
| #2: Quality of Service Remote Code Execution Vulnerability | Customers who do not use the Adaptive QoS for DMVPN feature can deny all traffic destined to UDP port 18999 on an affected device by using a Control Plane Policing (CoPP) policy similar to the following:
If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed. | Cisco has released Snort Rule 46111. |
| #3 and #4: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities | There are no workarounds that address these vulnerabilities. | N/A |
GENERAL SECURITY GUIDELINES
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- [Cisco] March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
- [Cisco] Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client
- [US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICSA-18-107-03 : Rockwell Automation Stratix Services Router
REVISION HISTORY
| Date | Version | Details |
| 16-Apr-2018 | 1.0 | Initial Release |
KCS Status
Released
Critical
Published Date:
April 16, 2018
Last Updated:
April 16, 2018
CVE IDs:
CVE-2018-0174, CVE-2018-0171, CVE-2018-0167, CVE-2018-0175, CVE-2018-0173, CVE-2018-0172, CVE-2018-0155, CVE-2018-0156
Products:
Stratix 8300 L3 Modular Managed Switch
CVSS Scores:
8.8, 9.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 8300 Denial of Service and Remote Code Execution Vulnerabilities
Description
Version 1.0 - April 16, 2018
On March 28, 2018 Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley Stratix® and ArmorStratix™ products.
These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.
Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.
AFFECTED PRODUCTS
- Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches, versions 15.2(4a)EA5 and earlier
VULNERABILITY DETAILS
Vulnerability #1: Smart Install Remote Code Execution
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.
The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:
- Triggering a reload of the device
- Allowing the attacker to execute arbitrary code on the device
- Causing an indefinite loop on the affected device that triggers a watchdog crash
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2.
A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2018-0171 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Vulnerability #2: Smart Install Denial of Service Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.
The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi.
CVE-2018-0156 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #3: Bidirectional Forwarding Detection Denial of Service Vulnerability
A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial of service (DoS) condition.
The vulnerability is due to insufficient error handling when the BFD header in a BFD packet is incomplete. An attacker could exploit this vulnerability by sending a crafted BFD message to or across an affected switch. A successful exploit could allow the attacker to trigger a reload of the system.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd.
CVE-2018-0155 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #4: DHCP Version 4 Relay Denial of Service
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3.
CVE-2018-0174 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #5: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the affected device, which will cause the device to reload and result in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1.
CVE-2018-0172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #6: DHCP Version 4 Relay Reply Denial of Service Vulnerability
A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2.
CVE-2018-0173 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.
Link Layer Discovery Protocol Buffer Overflow Vulnerability
A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.
Link Layer Discovery Protocol Format String Vulnerability
A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.
CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using affected versions of these Stratix products are encouraged to review and apply available mitigations to address the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.
- Cisco has offered the following information and mitigations for these vulnerabilities that are applicable.
| Vulnerability | Workaround (if available) | Other Notes |
| #1: Smart Install Remote Code Execution Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46096 and Snort Rule 46097. See "Smart Install Notes" below for additional Smart Install information/recommendations. |
| #2: Smart Install Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 41725. See "Smart Install Notes" below for additional Smart Install information/recommendations. |
| #3: Bidirectional Forwarding Detection (BFD) Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Administrators who do not use the BFD feature in their environments can disable the BFD feature by using the feature bfd disable command in global configuration mode to prevent exploitation of this vulnerability. Administrators who do use the BFD feature can implement Control Plane Policing (CoPP) to allow processing of BFD packets from known BFD peers only and drop all other BFD traffic to limit exposure. |
| #4: DHCP Version 4 Relay Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46120. |
| #5: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46104. |
| #6: DHCP Version 4 Relay Reply Denial of Service Vulnerability | There are no workarounds that address this vulnerability. | Cisco has released Snort Rule 46119. |
| #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities | There are no workarounds that address this vulnerability. | N/A |
Smart Install Notes: For the Smart Install vulnerabilities (#1 and #2):
- Smart Install is turned off by express setup, however upgraded switches but not re-setup may have it enabled.
- Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
- Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786.
GENERAL SECURITY GUIDELINES
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- [Cisco] March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
- [Cisco] Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client
- [US-CERT] Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- ICSA-18-107-05 : Rockwell Automation Stratix Industrial Managed Ethernet Switch
REVISION HISTORY
| Date | Version | Details |
| 16-Apr-2018 | 1.0 | Initial Release |
KCS Status
Released
High
Published Date:
March 28, 2018
Last Updated:
March 28, 2018
CVE IDs:
CVE-2017-12093, CVE-2017-14471, CVE-2017-14467, CVE-2017-14472, CVE-2017-14473, CVE-2017-14462, CVE-2017-14468, CVE-2017-14463, CVE-2017-14466, CVE-2017-12092, CVE-2017-12090, CVE-2017-14465, CVE-2017-14470, CVE-2017-12089, CVE-2017-14469, CVE-2017-12088, CVE-2017-14464
Products:
MicroLogix 1401
CVSS Scores:
3.7, 6.8, 6.3, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix Controller Vulnerabilities
Description
Version 1.0 - March 28, 2018
Jared Rittle and Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group contacted Rockwell Automation with a report detailing several vulnerabilities in the MicroLogix 1400™ controller family that, if successfully exploited, can have impacts ranging from Denial of Service to potential information disclosure.
Rockwell Automation has evaluated the contents of the researcher’s report and produced this disclosure, which provides details relating to these vulnerabilities and recommended countermeasures.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
| Product | Catalog Numbers | Affected Versions |
| MicroLogix 1400 | 1766-Lxxx | FRN 21.003 and earlier |
| MicroLogix 1100 | 1763-Lxxx | FRN 16.00 and earlier |
VULNERABILITY DETAILS
The report from Cisco Talos contained six potential vulnerabilities. Rockwell Automation evaluated all six reported issues and provided fixes and/or mitigations after confirming the first five vulnerabilities. The sixth reported issue is listed below, however, Rockwell Automation has determined that this feature works as intended. Additional details are provided below.
Vulnerability #1: Denial of Service via Ethernet Functionality
A remote, unauthenticated attacker could potentially send a specially crafted packet to the Ethernet port of an affected controller, which puts the device in a fault state, and potentially deleting ladder logic.
CVE-2017-12088 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #2: Denial of Service via Download Functionality
A remote, unauthenticated attacker could send a specially crafted packet to the controller during the standard download process. Without the proper packet to indicate download completion, the controller freezes in the download state for one minute before entering the fault state.
CVE-2017-12089 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #3: Denial of Service - SNMP-set request
A specially crafted SNMP-set request, when sent without associated SNMP-set commands for firmware flashing, can cause the device to power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.
CVE-2017-12090 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #4: Access Control Vulnerabilities
A remote, unauthenticated attacker could send a specially crafted packet to the affected device and utilize read or write operations that could result in several potential impacts, ranging from disclosure of sensitive information, modification of settings, or ladder logic modification.
Potential implications as a result of the vulnerability are listed below; each situation was reported to us by Cisco Talos and has been addressed by Rockwell Automation.
| Item # | Summary of Situation | CVE-2017-XXXX |
| 4a | Modification of Communication Protocols and Network Configuration | CVE-2017-14462 |
| 4b | Overwriting the PLC Ladder Logic | CVE-2017-14463 |
| 4c | Memory Module mismatch Fault | CVE-2017-14464 |
| 4d | Forcing PLC I/O | CVE-2017-14465 |
| 4e | Writing and Clearing Master Password (See **) | CVE-2017-14466 |
| 4f | Perform online edits to ladder logic | CVE-2017-14467 |
| 4g | Trigger the PLC to load program from Electrically Erasable Programmable Read-Only Memory (EEPROM) | CVE-2017-14468 |
| 4h | Setting an invalid value for the user fault routine | CVE-2017-14469 |
| 4i | Setting float elements to invalid values | CVE-2017-14470 |
| 4j | Setting fault bits in specific function files to cause a Denial of Service | CVE-2017-14471 |
| 4k | Reading Master Password (See **) | CVE-2017-14472 |
| 4l | Reading Master Ladder Logic | CVE-2017-14473 |
** Master Password not supported when using RSLogix 500 v11 and later with a MicroLogix 1400 controller flashed to FRN 21.002 or later.
Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned overall. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Vulnerability #5: File-Write vulnerability in Memory Module
A memory module installed in a MicroLogix controller that allows a user to instruct the controller to write its program to the module without authentication. The memory module is a back-up, but can also be used to load programs once an error occurs, and has the ability to load the program every time the device powers on.
CVE-2017-12092 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 3.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.
Reported Issue #6: Malicious Register Session Packets lead to Communication Loss
The MicroLogix 1400 controller supports ten active sessions at a time. The issue describes a scenario where a malicious user sends their own Register Session packets in order create their own connection to the controller, preventing valid users from accessing the PLC. However, when there are ten existing connections to the controller and another Register Session packet is sent, the oldest connection will be disconnected. The user whose online session has been disconnected receives the normal communication loss alert, upon which they can choose to reconnect.
CVE-2017-12093 has been assigned to this vulnerability by Cisco Talos. While evaluating this issue as a potential vulnerability, Cisco Talos assigned a CVSS v3.0 score of 5.3/10. For details, please follow the link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
RISK MITIGATION and RECOMMENDED USER ACTIONS
Customers using the affected controllers are strongly encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
- Update the affected products per the table below:
| Vulnerability | Product Family | Catalog Number | Hardware Series | Suggested Actions |
| #1: DoS via Ethernet Functionality | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #2: DoS via Download Functionality | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #3: DoS via SNMP-set request | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4a: Modification of Communication Protocol / Network Configuration | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4b: Overwriting Large Ladder Logic | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4c: Memory Module Mismatch | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4d: Forcing PLC I/O | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4e: Writing and Clearing Master Password | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4f: Perform online edits to ladder logic | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4g: Tigger PLC program load from EEPROM | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4h: Setting an invalid value to fault routine | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1400 | 1763-Lxxx | All Series |
| |
| #4i: Setting float elements to invalid values | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4j: Setting fault bits in function file causes DoS | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4k: Reading Master Password | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #4l: Reading Master Ladder Logic | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #5: File-Write in Memory Module | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
| |
| #6: Communications Loss | MicroLogix 1400 | 1766-Lxxx | Series B or C |
|
| MicroLogix 1400 | 1766-Lxxx | Series A |
| |
| MicroLogix 1100 | 1763-Lxxx | All Series |
|
Note: In addition, customers using affected versions of MicroLogix 1100 or MicroLogix 1400 Series A are urged to contact their local distributor or Sales Office in order to upgrade their devices to a newer product line.
- Cisco Talos has created the following Snort rules (SIDs): 44424, 44425, 44426, 44427, 44428, and 44429 to detect exploits utilizing these vulnerabilities, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are not in the standard curated rule sets and must be enabled manually.
- If not using external communications, block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.
GENERAL SECURITY GUIDELINES
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 28-Mar-2018 | 1.0 | Initial Release |
KCS Status
Released
High
Published Date:
December 22, 2017
Last Updated:
December 22, 2017
Products:
MicroLogix 1400
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix 1400 Modbus TCP Buffer Overflow Denial of Service
Description
Version 1.0 -December 22, 2017
Thiago Alves, from the Center for Cybersecurity Researcher and Education at the University of Alabama, Huntsville contacted Rockwell Automation with a report detailing a potential vulnerability in the MicroLogix™ controller family that, if successfully exploited, could cause the controller to become unresponsive to Modbus TCP communications, and could potentially cause the controller to fault. Rockwell Automation has determined that several versions of the MicroLogix™ 1400 controller are affected by this vulnerability.
MicroLogix™ is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture; Critical Infrastructure; as well as Water and Wastewater Systems.
Customers using affected versions of this device are encouraged to evaluate the details of the vulnerability below as it applies to their specific device implementation, as well as to implement any applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.
AFFECTED PRODUCTS
MicroLogix 1400 Controllers, Series B and C
Versions 21.002 and earlier
This includes the following catalogs:
- 1766-L32AWA
- 1766-L32AWAA
- 1766-L32BWA
- 1766-L32BWAA
- 1766-L32BXB
- 1766-L32BXBA
VULNERABILITY DETAILS
A remote, unauthenticated attacker could send especially crafted Modbus TCP packets to the affected device in order to exploit a buffer overflow condition. The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault.
Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED ACTIONS
Customers using affected versions of the MicroLogix™ 1400 PLCs are encouraged to update to the newest available firmware versions that address associated risks and include added improvements to further help harden the device and enhance its resilience against similar malicious attacks.
- Update supported products based on this table:
| Product Family | Catalog Numbers | Hardware Series | Suggested Actions |
| MicroLogix 1400 | 1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA | Series B or C | - Apply FRN 21.003 (Downloads) - Apply the any additional mitigations below. |
- All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix™ 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.
GENERAL SECURITY GUIDELINES
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 22-Dec-2017 | 1.0 | Initial Release |
KCS Status
Released
High
Published Date:
December 07, 2017
Last Updated:
December 07, 2017
CVE IDs:
CVE-2017-14022
Products:
FactoryTalk Services Platform, FactoryTalk View SE, Logix Designer
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Alarms and Events Historian Denial of Service
Description
Version 1.1 - December 7, 2017
Version 1.0 - November 1, 2017
A vulnerability exists in FactoryTalk® Alarms and Events (FTAE) that, if successfully exploited, can cause a Denial of Service condition to the historian service within FTAE. FactoryTalk Alarms and Events is used to provide a common, consistent view of alarms and events through a FactoryTalk View SE HMI system and is used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
FactoryTalk Alarms and Events v2.90 and earlier.
Factory Talk Alarms & Events is a component of the FactoryTalk Services platform. Customers using FTAE-based alarms in FactoryTalk View SE or Logix-based alarms in ControlLogix / CompactLogix processors will be impacted. FactoryTalk Alarms & Events is installed by several products:
- FactoryTalk Services (RSLinx® Enterprise), all versions
- FactoryTalk View SE, version 5.00 and later
- Studio 5000 Logix Designer®, version 24 and later
Affected customers may consult the Risk Mitigation section of this advisory for information on how to address the issue.
VULNERABILITY DETAILS
An unauthenticated attacker with remote access to a network with FactoryTalk Alarms and Events can send a specially crafted set of packets to port TCP/403 (the history archiver service), causing the service to either stall or terminate.
The history archiver service of FactoryTalk Alarms and Events is used to archive alarms and events to a Microsoft SQL Server database. Disrupting this capability can result in a loss of information, the criticality of which depends on the type of environment that the product is used in. The service must be restarted in order to restore operation.
CVE-2017-14022 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected software are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Family Version In Use Suggested Actions Factory Talk Alarms and Events V2.90 - Implement the V2.90 patch (instructions)
- Disable TCP port 403. See item #2 below for details.
Factory Talk Alarms and Events V2.81 and earlier - Update to FTAE V2.90 from PCDC (instructions) then implement the V2.90 patch (instructions)
- Disable TCP port 403. See item #2 below for details.
- FactoryTalk Alarm and Event history is logged using the Rockwell Alarm Historian service using port 403, and writes alarms and events to the user-configured SQL Server database. If the Rockwell Automation Alarm Historian service is on the same machine as the Rockwell Alarm Event service, then port 403 can be blocked remotely as the historical information is being logged to the local host rather than a remote host. Any other machine in the system that does not have the Rockwell Alarm Historian service on the same machine as the Rockwell Alarm Event service will require access to port 403.
Note: FactoryTalk View SE clients using the Alarm and Event Log Viewer to view FactoryTalk Alarm and Event history do not require port 403 and can thus be blocked.
GENERAL SECURITY GUIDELINES
- Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270
- Use trusted software, software patches, and anti-virus/anti-malware programs, and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the enterprise network
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 07-December 2017 | 1.1 | Updated with CVE # |
| 01-November 2017 | 1.0 | Initial Release |
KCS Status
Released
Medium
Published Date:
November 06, 2017
Last Updated:
November 06, 2017
CVE IDs:
CVE-2017-13082
Products:
Stratix 5100 WAP/Workgroup Bridge
CVSS Scores:
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5100 Wireless Access Point/Workgroup Bridge affected by Key Reinstallation Attacks (KRACK) research paper
Description
Version 1.1 - November 6, 2017
Version 1.0 - October 23, 2017
On October 16, 2017, Mathy Vanhoef of the University of Leuven released a research paper detailing several vulnerabilities in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) protocols. Rockwell Automation, along with Cisco Systems, Inc. ("Cisco"), have determined that all versions of the Allen-Bradley® Stratix® 5100 Wireless Access Point/Workgroup Bridge ("Stratix 5100 WAP/WGB") are affected by one of these ten vulnerabilities when the device has been configured with a specific non-default configuration. This vulnerability can be exploited by a Key Reinstallation Attack (KRACK), in which a malicious actor tricks the victim into reinstalling a key that is already in-use. A successful attack may allow the attacker to operate as a "man-in-the-middle" between the device and the wireless network. This could then be leveraged to manipulate the data stream, remove TLS/SSL and/or grab credentials and confidential information in transmission.
The Stratix 5100 wireless access point provides an 802.11 compliant Wi-Fi implementation that wirelessly connects client devices to an Ethernet based network. The vulnerabilities are solely exploitable in close proximity to a device that is actively joining to a previously joined wireless network.
Customers using this device are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.
AFFECTED PRODUCTS
Stratix 5100 Wireless Access Point/ Workgroup Bridge
Version 15.3(3)JC1 and earlier
This includes the following catalogs:
- 1783-WAPAK9
- 1783-WAPBK9
- 1783-WAPCK9
- 1783-WAPEK9
- 1783-WAPNK9
- 1783-WAPTK9
- 1783-WAPZK9
VULNERABILITY DETAILS
Key Reinstallation Attacks ("KRACK") work against the four-way handshake of the WPA2 protocol. KRACK takes advantage of the retransmission of a handshake message to prompt the installation of the same encryption key every time it receives message 3 from the Access Point ("AP"). Retransmission of the handshake message from the AP occurs if a proper client acknowledgement is not received to the initial message; retransmission resets the nonce value and replay counter to their initial values. A malicious actor could force these nonce resets by replaying the appropriate handshake message, which could allow for injection and decryption of arbitrary packets, hijacking of TCP connections, injection of HTTP content, or replaying of unicast or multicast data frames on the targeted device.
CVE-2017-13082 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.9/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N
The original public security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
The report by US-CERT is available at the following link: https://www.kb.cert.org/vuls/id/228519
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation recommends that all customers patch the clients that connect to the Stratix 5100 WAP/WGB, and recommends contacting your vendor to get the most updated patch that is compatible with your client devices. However, patching the client only protects the connection formed by that specific client. In order to protect all future clients that may be added to your system, Rockwell Automation recommends patching the Stratix 5100 WAP/WGB when the firmware is available.
UPDATE: NOVEMBER 6, 2017
After further investigation, Rockwell Automation has determined that since the vulnerability affects Stratix 5100 access points with 802.11r enabled, and 802.11r is not fully supported on the Stratix 5100 WAP/WGB, that access-point users are not affected by this vulnerability, and patching the Stratix 5100 WAP/WGB is not required when the device is operating as an access point. To verify that 802.11r is disabled in your device, please refer to this Knowledgebase Article ID 1068007. It is still suggested that users refer to manufacturers of their connected wireless client devices for suggested patch procedures.
Alternatively, a workaround exists for CVE-2017-13082. If you are using a Stratix 5100 in Access Point ("AP") mode (and not in Workgroup Bridge mode ("WGB") and you have enabled 802.11r fast roaming, it is recommended that the 802.11r fast roaming function should be disabled. In order to disable 802.11r, do one of the following:
- Open the Command Line Interface (CLI) and issue the following commands with administrative privileges:
| Command | Purpose |
| configure terminal | Enters Global Configuration Mode |
| interface Dot11Radio0 | Enters Radio0 (2.4GHz) Configuration |
| no dot11 dot11r | Executes command to disable 802.11r |
| Interface Dot11Radio1 | Enters Radio1 (5GHz) Configuration |
| no dot11 dot11r | Executes command to disable 802.11r |
| end | Exits to privileged EXEC mode |
| write | Writes configuration to Non-volatile memory |
- In the web interface, Navigate to the "Network" tab, select "Network Interface", then "Radio0-802.11n 2G.hz", "Settings", and verify the disable radio button next to "11r Configuration" is selected. Repeat these steps with "Radio0-802.11n 5G.hz"
NOTE: Disabling 802.11r could have a negative impact on the performance and availability of a customer’s system. Customers are encouraged to evaluate the impact to specific environments before performing this workaround
GENERAL SECURITY GUIDELINES
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 06-Nov-2017 | 1.1 | Update about affected feature. |
| 23-Oct-2017 | 1.0 | Initial release. |
KCS Status
Released
Critical
Published Date:
November 02, 2017
Last Updated:
November 02, 2017
CVE IDs:
CVE-2017-3881
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 5400 Industrial Ethernet Switch, ArmorStratix 5700 Managed Switch
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix CMP Remote Code Execution Vulnerability
Description
Version 1.1 - November 2, 2017
Version 1.0 - March 23, 2017
Cisco Systems, Inc. ("Cisco") has reported that a vulnerability exists in the Cisco Cluster Management Protocol ("CMP") processing code in the Cisco IOS and Cisco IOS XE software. Allen-Bradley® Stratix® and ArmorStratix™ products contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet and/or Distribution switches for real-time control and information sharing on a common network infrastructure.
This vulnerability is remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.
Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
All Versions 15.2(5)EA.fc4 and earlier
- Allen-Bradley Stratix 5400 Industrial Ethernet Switches
- Allen-Bradley Stratix 5410 Industrial Distribution Switches
- Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
- Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches
All Versions 15.2(4a)EA5 and earlier
- Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches
VULNERABILITY DETAILS
The Cluster Management Protocol uses Telnet to internally signal and send commands. A remote, unauthorized attacker could send malformed CMP-specific Telnet messages to try and establish a Telnet session with one of the affected products. Incorrect processing of these messages can cause the device to reload, or, in certain cases, allow the attacker to execute arbitrary code with elevated privileges on the device. If a customer has Telnet disabled, the attack vector is eliminated. Currently, no publicly available exploit code exists for this vulnerability.
The original product security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
CVE-2017-3881 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
UPDATE: NOVEMBER 02, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.
Rockwell Automation recommends customers using affected products to consult the suggestions below and, when possible, employ multiple strategies to mitigate their risk.
| Product Family | Catalog Numbers | Affected Version | Suggested Actions |
| Stratix 8300 | 1783-RMS | 15.2(4)EA and earlier | - See Risk Mitigations below |
| Stratix 8000 | 1783-MS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5400 | 1783-HMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5410 | 1783-IMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5700 | 1783-BMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| ArmorStratix 5700 | 1783-ZMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
- Disabling the Telnet protocol as an allowed protocol for incoming connections on affected devices diminishes the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, please see Knowledgebase Article ID 1040270.
- If a customer is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, please see Knowledgebase Article ID 1040270.
- Cisco Talos, Cisco’s threat intelligence organization, has created two Snort rules (SIDs): 41909 and 41910 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.
GENERAL SECURITY GUIDELINES
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Utilize proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance, which comprises Intrusion Prevention and Detection (IDS/IPS) services, and Deep Packet Inspection (DPI) of the Common Industrial Protocol (CIP), Rockwell Automation can now offer customers an intrusion detection system to provide visibility, in real-time, if a vulnerability is being exploited. The Stratix 5950 contains a rules engine called FirePOWER which can process rules created by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged (IDS) or blocked (IPS).
For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https:rockwellautomation.custhelp.comapp/answers/detail/a_id/54102, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
- Security Advisory Index, Knowledgebase Article ID 54102.
- Industrial Firewalls within a CPwE Architecture White Paper: ENET-WP011B-EN-P
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide: ENET-TD002A-EN-P
REVISION HISTORY
| Date | Version | Details |
| 02-NOVEMBER-2017 | 1.1 | Patched FW Release |
| 24-MARCH-2017 | 1.0 | Initial Release |
KCS Status
Released
High
Published Date:
November 02, 2017
Last Updated:
November 02, 2017
CVE IDs:
CVE-2017-6741, CVE-2017-6744, CVE-2017-6743, CVE-2017-6740, CVE-2017-6738, CVE-2017-6737, CVE-2017-6742, CVE-2017-6739, CVE-2017-6736
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5900 Services Router, Stratix 5410 Ind Distribution Switch
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix SNMP Packet Remote Code Execution Vulnerabilities
Description
Version 1.1 - November 2, 2017
Version 1.0 - July 27, 2017
Cisco Systems, Inc. ("Cisco") has reported that multiple vulnerabilities exist in the Simple Network Management Protocol ("SNMP") subsystem of Cisco IOS and IOS XE software that, if successfully exploited, can allow an authenticated, remote attacker to execute code on an affected device or cause an affected device to crash and reload. Allen-Bradley® Stratix® and ArmorStratix™ Industrial Ethernet switch products and the Stratix 5900 Services Router contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet switches for real-time control and information sharing on a common network infrastructure.
According to Cisco, these vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.
UPDATE: NOVEMBER 2, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
For support on how to determine which version of Stratix firmware is on your device, please see Knowledgebase Article ID 55484.
All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 5400 Industrial Ethernet Switches
• Allen-Bradley Stratix 5410 Industrial Distribution Switches
• Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
• Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches
All Versions 15.2(4)EA and earlier
• Stratix 8300 Modular Managed Ethernet Switches
All Versions 15.6(3)M1 and earlier
• Allen-Bradley Stratix 5900 Services Router
VULNERABILITY DETAILS
Multiple vulnerabilities exist in the SNMP subsystem of Cisco IOS and IOS XE software that could allow an authenticated, remote attacker to execute code on an affected system or cause an affected system to reload by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.
The vulnerabilities affect all versions of SNMP. To exploit these vulnerabilities via SNMP version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities in SNMP version 3, the attacker must authenticate their identity with user credentials for the affected system.
| CVE ID # | Headline | CVSS v3 Score and Vector String ** ** for a better understanding of how this score was generated, please follow the link to first.org |
| CVE-2017-6736 | SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software | 8.8/10 (High) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CVE-2017-6737 | ||
| CVE-2017-6738 | ||
| CVE-2017-6739 | ||
| CVE-2017-6740 | ||
| CVE-2017-6741 | ||
| CVE-2017-6742 | ||
| CVE-2017-6743 | ||
| CVE-2017-6744 |
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation will update this advisory as new versions of firmware are released that remediate this vulnerability. Until then, Rockwell Automation recommends that customers using affected products consult the suggestions below and employ multiple strategies to mitigate their risk when possible.
| Product Family | Catalog Numbers | Affected Versions | Suggested Actions |
| Stratix 8300 | 1783-RMS | 15.2(4)EA and earlier | - Update to v15.2(4a)EA5 or later (Download) |
| Stratix 5900 | 1783-SRKIT | V15.6.3 and earlier | - See Risk Mitigations below |
| Stratix 8000 | 1783-MS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5400 | 1783-HMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5410 | 1783-IMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| Stratix 5700 | 1783-BMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
| ArmorStratix 5700 | 1783-ZMS | 15.2(5)EA.fc4 and earlier | - Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below |
- Disable the following Management Information Bases (MIBs) on a device, if they are installed/active on your Stratix device:
Stratix 8000, 8300, 5700, 5400, 5410
CISCO-MAC-AUTH-BYPASS-MIB
Stratix 5900
ADSL-LINE-MIB
CISCO-ADSL-DMT-LINE-MIB
CISCO-BSTUN-MIB
CISCO-MAC-AUTH-BYPASS-MIB
CISCO-VOICE-DNIS-MIB
Details on how to use the Command Line Interface to disable or limit access to SNMP or individual MIBs can be found at Knowledgebase Article ID 1055391.
Note: Your Stratix device may not have all of the MIBs installed/active. - If SNMP is required, use strong SNMP v3 credentials since this attack requires authentication.
- Cisco Talos, Cisco’s threat intelligence organization, has created the following Snort rules (SIDs): 43424, 43425, 43426, 43427, 43428, 43429, 43430, 43431, 43432 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.
- Use proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. Firewalls will not block requests from compromised, but authorized sources.
GENERAL SECURITY GUIDELINES
- If available, use product-specific features, such as a keyswitch setting, to block unauthorized changes, etc. Consult the product documentation for the availability and usage of these features.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- Cisco: SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 02-Nov-2017 | 1.1 | Updated Firmware Available |
| 27-Jul-2017 | 1.0 | Initial Release |
KCS Status
Released
High
Published Date:
August 24, 2017
Last Updated:
August 24, 2017
Products:
FactoryTalk Activation
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Activation Unquoted Service Path Privilege Escalation
Description
Version 1.2 - August 24, 2017
Version 1.1 - March 21, 2017
Version 1.0 - February 16, 2017
Update: March 21, 2017
A complete list of the software products that distribute versions of FactoryTalk® Activation Manager has been identified and listed under the affected products below. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet.
In those instances where customers using one of the listed software products are unable to update to the latest version of FactoryTalk Activation, please refer to the KnowledgeBase Article ID 939382 to verify and patch any unquoted service paths in a specific system.
An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Certain versions of FactoryTalk® Activation Manager are susceptible to this vulnerability. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet. This vulnerability can be exploited to link to, or run, a malicious executable of the attacker’s choosing.
Rockwell Automation has provided a software update containing the remediation for this vulnerability. Rockwell Automation has also provided a series of steps to allow customers to mitigate this vulnerability in previously downloaded versions. Further details about this vulnerability, as well as recommended countermeasures, are contained below.
AFFECTED PRODUCTS
FactoryTalk Activation Service v4.00.02 and earlier
Update: March 21, 2017
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. All versions prior to, and including, v4.00.02 of the FactoryTalk Activation Service are affected. In other words, customers who recognize products from the following list are using FactoryTalk Activation Manager, and they may consult the Risk Mitigation section of this advisory for information on how to verify that their systems are affected and how to manually address this vulnerability.
- Arena®
- Emonitor®
- FactoryTalk® AssetCentre
- FactoryTalk® Batch
- FactoryTalk® EnergyMetrix™
- FactoryTalk® eProcedure®
- FactoryTalk® Gateway
- FactoryTalk® Historian Site Edition (SE)
- FactoryTalk® Historian Classic
- FactoryTalk® Information Server
- FactoryTalk® Metrics
- FactoryTalk® Transaction Manager
- FactoryTalk® VantagePoint®
- FactoryTalk® View Machine Edition (ME)
- FactoryTalk® View Site Edition (SE)
- FactoryTalk® ViewPoint
- RSFieldBus™
- RSLinx® Classic
- RSLogix 500®
- RSLogix 5000®
- RSLogix™ 5
- RSLogix™ Emulate 5000
- RSNetWorx™
- RSView®32
- SoftLogix™ 5800
- Studio 5000 Architect®
- Studio 5000 Logix Designer®
- Studio 5000 View Designer®
- Studio 5000® Logix Emulate™
VULNERABILITY DETAILS
Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged, local user to execute arbitrary code with elevated privileges on the system. A well-defined service path enables Windows to easily find the path to a service; this is accomplished by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and an attacker could drop a malicious executable if the service path is discovered.
This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path. When the Windows Service Manager starts the service, it will attempt to launch the implanted executable rather than the intended and authentic executable.
A CVSS v3 base score of 8.8 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
RISK MITIGATIONS
Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.
Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation. To download v4.01 or later, go to this link for PCDC (Product Compatibility & Download Center) and select "Select Files" icon for all Free Downloads. Select latest FactoryTalk Activation from the list of downloads.
Update: August 24, 2017
Customers can consult the Product Compatibility and Download Center Standard Views>Software Latest Versions>FactoryTalk Activation for details about the latest FactoryTalk Activation Manager.
Note: When centralizing FactoryTalk Activation Manager (FTAM) to a single server host, it is important to ensure that the centralized Activation server is running a version of FactoryTalk Activation Manager equal to, or greater than, the latest version of client FTAM on your network. It is important to update the central activation servers before client activation servers. For details visit Knowledgebase Article 612825 Managing Remote FactoryTalk Activation Manager Servers.
If unable to upgrade to the latest version visit KnowledgeBase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and walks through the process of doing such edits.
Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.
- Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
- Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory, the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
Product Security Vulnerability FAQ
REVISION HISTORY
| Date | Version | Details |
| 16-FEB-2017 | 1.0 | Initial release |
| 21-MAR-2017 | 1.1 | FTA Concurrent Distribution List |
| 24-AUG-2017 | 1.2 | Compatibility Information |
KCS Status
Released
Published Date:
June 30, 2017
Last Updated:
June 30, 2017
Products:
Third Party, Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, PanelView Plus 6 Compact, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, 6186M Performance Monitor, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, 6176M Standard Monitor, Business Objects, 2711T MobileView Tethered, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, 650R Non-Display Computers, RSToolPak II, Raise Software, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, PanelView 800, DataDisc, RSLogix 5, Operator Certification, Live Transfer, MaterialTrack, ThinManager, 2711T MobileView Accessories, 6181 Computers, 1450R Non-Display Computers, ControlView, Advisor, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, 2711P PanelView Plus 7 Performance, Installation, RSLogix Emulate 500, Knowledge Documentation, PBase, RSLogix Emulate 5, RSPower, Entek, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, PID Logistics 500, SoftLogix5800, FactoryTalk VantagePoint EMI, RSMACC, RSPowerTools, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, 100/150 PCD, ComplianceTrack, PanelView Component, RSTools, Portlets, RSBizWare Scheduler, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, ERP Integration Gateway, General Computer, PLC2A and T3, Activities, ETL, Historical Transfer, ECO, Documentation, RSWorkbench, RSTestStand, RS PMX CTM, 6180 Computers with Keypad, RSBizWare Line Performance, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, DataSite Workbench, FactoryTalk Integrator, AI Emulate 500, RSPower32, Legacy, AI Emulate 5, 2711P PanelView Plus 6 Logic Modules, Administration, 6155 Compact Computers, Production Execution Client, PanelView 5000, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), 6181X Hazardous Integrated Display, PMX, WINtelligent HMI, 6200-5/250, eProcedure, RSView - 16 Bit, RSChart, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, 2711P PanelView Plus 7 Standard, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), Reports (Out-of-box), PlantMetrics, PCO Software (6723), API, FactoryTalk Batch, AI-100/150, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Legacy, WINtelligent Trend, Process Designer, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, 2711P PanelView Plus 6 400-1500, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
Version 1.1 - June 29, 2017
Revision History
| Date | Version | Details |
| 29-Jun-2017 | 1.1 | Title update |
| 28-Jun-2017 | 1.0 | Initial release |
| 30-Jun-2017 | 1.2 | Clarified port information with respect to FT Software products |
Introduction
On June 27, 2017, a new malware variant named “Petya” (also known as “NotPetya” or “Nyetya”) began affecting Microsoft Windows personal computers (PCs) around the world. NotPetya is a Petya-inspired malware variant and behaves in a manner similar to how the “WannaCry” malware that surfaced in May 2017 did, specifically in that it is a self-propagating "worm" that infects any vulnerable host that has not patched the Windows SMBv1 vulnerability. Microsoft patched this vulnerability, named “MS17-010,” in March 2017.
However, it is worth noting that this malware has some key differences from WannaCry, including how it propagates to other machines and how it attacks the victim’s PC.
As of this writing, there is no known direct impact to Rockwell Automation products from this malware, though all files present on a machine (including files used by Rockwell Automation products) may be encrypted in the event of a successful attack. However, customers who use Rockwell Automation software products may be vulnerable to this attack since most of the Rockwell Automation software products run on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.
Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows may be vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.
Affected Products
According to Microsoft’s MS17-010 Security Bulletin, the following operating systems contain the vulnerability:
- Windows XP
- Windows 7
- Windows 8
- Windows 10
- Windows Server 2003
- Windows Server 2008 R1/R2
- Windows Server 2012
- Windows Server 2016
Note: Both 32-bit and 64-bit versions are vulnerable.
Note: At the time of this writing, and according to Microsoft, no versions of Windows CE are affected.
Vulnerability Details
This malware is similar in many ways to the WannaCry malware that surfaced in May 2017, but it also includes different methods for the encryption of files and propagation across the network to infect new machines. Reports suggest that if the Petya malware has administrative privileges, it does not encrypt files individually through a whitelist approach, but instead will encrypt the entire filesystem, rendering the machine completely in-accessible. Industrial control system (“ICS”) specific files, which may not have been specifically included in past whitelists, will now also be encrypted along with any other file on the filesystem.
The initial Petya infection comes from opening an infected file, attached to an email. Once a machine on a victim’s network is infected, Petya utilizes multiple mechanisms to propagate through the victim’s network without any type of user interaction, such as is common with the following social engineering-based attacks:
- EternalBlue, the same SMB exploit which allowed WannaCry to propagate.
- Microsoft Windows Management Instrumentation (WMI), using the user’s credentials.
- Microsoft PSexec tool, using the user’s credentials.
Risk Mitigation & User Action
The risk from EternalBlue can be mitigated by applying updates from MS17-010. The other two attack vectors can be mitigated through blocking ports utilized by those protocols.
Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the potential risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.
The Rockwell Automation Microsoft Patch Qualification team has qualified versions of our products on Windows 7 and Windows Server 2008 R2 with MS17-010 installed. For detailed information on versions tested, visit the Rockwell Automation Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.
- For any supported operating systems, use the “Windows Update” feature to download and apply updates
- For unsupported operating systems, download English language security updates directly, these patches could be loaded onto existing Windows Server Update Services (WSUS) servers to ease large-scale deployments:
o Windows Server 2003 SP2 x64
o Windows Server 2003 SP2 x86
o Windows XP SP2 x64
o Windows XP SP3 x86
o Windows XP Embedded SP3 x86
o Windows 8 x86
o Windows 8 x64 - For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
- Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
o Note: This may prevent file shares from working in some instances. - If possible, restrict SMB and WMI traffic from untrusted enterprise networks (with internet connectivity) outside the IDMZ.
o SMB and WMI utilize ports TCP/135, TCP/139, TCP/445, and TCP/1024-1035.
o Note: Some FactoryTalk software products require port TCP/135 in order to function properly. Consult Knowledgebase Article 898270 for information on port usage by Rockwell Automation products. - Establish and execute a proper backup and disaster recovery plan for your organization's assets.
The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.
However, the Rockwell Automation Microsoft Patch Qualification team has NOT qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End of Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.
Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.
General Security Guidelines
- Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
- Use of Microsoft AppLocker® or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
- Run all software as User, not as Administrator.
- Use trusted software and software patches that are obtained only from highly reputable sources.
- Employ training and awareness programs to educate users on the warning signs of
a phishing or social engineering attack. - Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (“VPNs”), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
Attachments
Migration Attachment
Published Date:
May 18, 2017
Last Updated:
May 18, 2017
Products:
Third Party, Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, 650R Non-Display Computers, RSToolPak II, Raise Software, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, 6181 Computers, 1450R Non-Display Computers, Advisor, ControlView, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, PBase, Knowledge Documentation, RSLogix Emulate 5, RSPower, Entek, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, RSPowerTools, SoftLogix5800, FactoryTalk VantagePoint EMI, RSMACC, PID Logistics 500, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, 100/150 PCD, ComplianceTrack, RSTools, Portlets, RSBizWare Scheduler, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, Activities, ETL, Historical Transfer, ECO, ERP Integration Gateway, RS PMX CTM, RSTestStand, RSWorkbench, 6180 Computers with Keypad, RSBizWare Line Performance, Production Management Client, RSLadder, RMA, Data, Thin Client, DataSite Workbench, Logix Designer, FactoryTalk Integrator, AI Emulate 500, RSPower32, Legacy, AI Emulate 5, Administration, 6155 Compact Computers, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, 6181X Hazardous Integrated Display, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, ActiveX Control, FactoryTalk Metrics, RSChart, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), AI-100/150, PlantMetrics, API, FactoryTalk Batch, PCO Software (6723), Reports (Out-of-box), FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Legacy, Process Designer, WINtelligent Trend, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision History
Version 1.1 - May 18, 2017
Introduction
On May 10, 2017, a new ransomware attack called "WannaCry" (also known as "WannaCrypt"), began affecting Microsoft Windows personal computers ("PCs") around the world. The ransomware is a self-propagating "worm" that infects any vulnerable host that has not patched the SMBv1 Windows vulnerability. This vulnerability was patched in March 2017 by Microsoft and has been named "MS17-010", which is included in the monthly Microsoft roll-ups: "MS17-006".
Unlike previous ransomware variants that require social engineering ("phishing"), WannaCry takes advantage of a publicly known vulnerability in Microsoft Windows, which allows it to spread quickly throughout a network and infect additional hosts with no user interaction.
As of this writing, there is no known direct impact to Rockwell Automation products from this ransomware. However, customers who use Rockwell Automation software products may be vulnerable to this attack since this software runs on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.
Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary payment in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically, the user must pay a ransom (in some form of untraceable currency), and must do so before the deadline expires and the decryption key is destroyed.
Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows are likely vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.
Affected Products
According to Microsoft's MS17-010 Security Bulletin, the following operating systems contain the vulnerability:
- Windows XP
- Windows 7
- Windows 8
- Windows 10
- Windows Server 2003
- Windows Server 2008 R1/R2
- Windows Server 2012
- Windows Server 2016
Note: Both 32-bit and 64-bit versions are vulnerable.
At the time of this writing, and according to Microsoft, no versions of Windows CE are affected by these vulnerabilities."
Vulnerability Details
According to Microsoft's MS17-010 Security Bulletin:
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Risk Mitigation & User Action
Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to ensure that there are no unexpected results or side effects.
The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 8.1, Windows 7 SP1, and Windows Server 2008 R2 SP1. For detailed information on versions tested, visit the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.
1.) For any supported operating systems, utilize the "Windows Update" feature to download and apply updates.
2.) For unsupported operating systems, download English language security updates directly:
3.) For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
4.) Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Note: This will prevent file shares from working in some instances.
The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.
The Rockwell Automation MS Patch Qualification team has not qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End-of-Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.
In addition, Cisco Talos has released IPS/IDS Snort rules to detect and defend against WannaCry. See their blogpost for additional information.
Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.
General Security Guidelines
1.) Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
2.) Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
3.) Run all software as User, not as Administrator.
4.) Use trusted software and software patches that are obtained only from highly reputable sources.
5.) Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6.) Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
7.) Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
8.) When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
Attachments
Critical
Published Date:
April 26, 2017
Last Updated:
April 26, 2017
CVE IDs:
CVE-2016-6380, CVE-2016-6385, CVE-2016-6382, CVE-2016-6393
Products:
ArmorStratix 5700 Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
9.9, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix® Denial of Service Vulnerabilities
Description
Version 1.1 - April 26, 2017
UPDATE: April 26, 2017 - Further investigation has confirmed that the Stratix 8300® platform is also affected by these vulnerabilities. Stratix 8300 is a family of modular managed Ethernet switches. Affected versions of Stratix 8300, including mitigations to deploy for affected customers, are provided below.
On September 28, 2016, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included ten security advisories detailing eleven vulnerabilities. Contained in these ten advisories are five vulnerabilities that impact the following Allen-Bradley Stratix® and ArmorStratix™ products:
- 26-APR-2017 Update: Allen-Bradley® Stratix 8300® Modular Managed Ethernet Switches
- Allen-Bradley® Stratix 5400® Industrial Ethernet Switches
- Allen-Bradley® Stratix 5410® Industrial Distribution Switches
- Allen-Bradley® Stratix 5700® Industrial Managed Ethernet Switches
- Allen-Bradley® Stratix 8000® Modular Managed Ethernet Switches
- Allen-Bradley® ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments
These discovered vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable modules if an attack is successful. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.
Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.
AFFECTED PRODUCTS
- 26-APR-2017 Update: Stratix 8300
Version 15.2(4)EA and earlier - Stratix 5400, Stratix 5410, Stratix 5700, Stratix 8000, ArmorStratix 5700
Version 15.2(4)EA3 and earlier
Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.
VULNERABILITY DETAILS
Vulnerability #1: AAA Authentication Fail Denial of Service
A vulnerability in the Authentication, Authorization, and Accounting (AAA) service for remote Secure Shell Host (SSH) connections to the device could allow an unauthenticated, remote attacker to cause the vulnerable device to reload.
This vulnerability is a result of an error log message that is shown when a remote SSH connection to the device fails AAA authentication. Upon failure, the remote SSH attacker receives the previously configured banner which can be used to authenticate the targeted device. A successful attack could result in a Denial of Service (DoS) condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados
A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2016-6393 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerabilities #2 and #3: Software Multicast Routing Denial of Service Vulnerabilities
Two vulnerabilities were discovered in the multicast subsystem of Cisco’s IOS and IOS XE Software, allowing for unauthenticated, remote attackers to create a DoS condition.
The first vulnerability is in the Multicast Source Discovery Protocol (MDSP) that could allow an unauthenticated, remote attacker to cause the affected device to reload. This vulnerability is due to insufficient checking of MSDP Source-Active (SA) messages received from a configured MSDP peer. If an attacker can send traffic to the Internet Protocol version 4 ("IPv4") address of an affected device, a maliciously-crafted packet would trigger the issue. A successful exploit could cause the affected device to restart.
The second vulnerability is due to insufficient checking of packets encapsulated in a Protocol Independent Multicast (PIM) register message. An attacker who is able to send Internet Protocol version 6 ("IPv6") register packets can create a malformed packet to send to a PIM rendezvous point in order to exploit this vulnerability. A successful exploit could cause the affected device to restart.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp
CVE-2016-6382 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Vulnerability #4: DNS Forwarder Denial of Service and Information Corruption
A vulnerability exists in the Domain Name System ("DNS") forwarder functionality in the software that could allow an unauthenticated, remote attacker to cause the device to restart or corrupt the information existing in the device’s local DNS cache, or read part of the process memory.
The vulnerability is due to a flaw in handling crafted DNS response messages. An attacker could utilize this vulnerability by intercepting and crafting a DNS response message to a client DNS query that was forwarded from the affected device to a DNS server. A successful attack could cause the device to reload, which is a DoS, or corrupt the information on the local DNS cache.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns
CVE-2016-6380 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H.
Vulnerability #5: Software Smart Install Memory Leak Denial of Service
A vulnerability in the Smart Install client feature could allow an unauthenticated, remote attacker to cause a memory leak and an eventual DoS condition on the affected device.
This vulnerability is due to incorrect handling of image list parameters. To exploit this vulnerability, an attacker could send crafted Smart Install packets to Transmission Control Protocol ("TCP") port 4786. A successful attack could cause the switch to leak memory and eventually reload, resulting in a DoS condition.
Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi
CVE-2016-6385 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Currently, there is no publicly available exploit code relating to any of these vulnerabilities.
RISK MITIGATIONS
Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.
- Update the affected products per the table below:
Product Family Affected Versions Updates Available Stratix 5400 Industrial Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download) Stratix 5410 Industrial Distribution Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download) Stratix 5700 Industrial Managed Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download) Stratix 8000 Modular Managed Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download) ArmorStratix 5700 Industrial Managed Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download) 28-APR-2017 Update: Stratix 8300 Module Managed Ethernet Switches All Prior to 15.2(4a)EA5 Apply FRN 15.2(4a) EA5 or later
(Download) - Cisco has offered workarounds for those vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.
Vulnerability Workaround (if available) Other Notes #1: AAA
Authentication DoSThe AAA Failed-Login Banner can be removed via the command no aaa authentication fail-message. AAA Failed-Login Banner needs to be configured and SSH used for a remote connection to the device in order to exploit the vulnerability. To check if AAA is configured, use the show running-config include aaa command to check the AAA configuration and verify that it returns output. #2 and #3:
Multicast Routing DoSThere are no workarounds for either vulnerability N/A #4: DNS Forwarder
DoS and Info CorruptionThere are no workarounds that address this vulnerability. N/A #5: Software Smart
Install Memory LeakThere are no workarounds other than disabling the Smart Install feature. This can be done on some versions of firmware with the "no vstack" global configuration command. To determine whether a device is configured with the Smart Install client feature, use the command show vstack config. If the output is Role: Client, then this confirms that the feature is enabled on the device. - Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked.
- Use trusted software, software patches, antivirus/anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on Rockwell Automation’s Vulnerability Management process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on the Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory using the Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| OCT-2016 | 1.0 | Initial release. |
| 28-APR-2017 | 1.1 | Update to include Stratix 8300 and mitigations |
KCS Status
Released
Critical
Published Date:
April 25, 2017
Last Updated:
April 25, 2017
CVE IDs:
CVE-2017-7902, CVE-2017-7901, CVE-2017-7899, CVE-2017-7898, CVE-2017-7903
Products:
MicroLogix Controller
CVSS Scores:
5.4, 8.1, 3.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix Controller v21 Security Updates
Description
Version 1.0 - April 25, 2017
Multiple vulnerabilities exist in certain MicroLogix™ 1100 and 1400 controllers that, if successfully exploited, can allow unauthorized access to the web server, tamper with firmware, or cause a Denial of Service. MicroLogix is a family of Programmable Logic Controllers (PLCs) used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
MicroLogix 1400 Controllers, Series A and B
-
1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA
Version 16.00 and earlier.
MicroLogix 1100, Series A and B
-
1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD
Version 16.00 and earlier.
VULNERABILITY DETAILS
Vulnerability #1: Weak Password Resolution
MicroLogix products use a numeric password that has a small number of maximum characters, making it easier for a user to guess the password. There is no penalty for incorrect passwords, so the attack can be repeated until the victim’s password is identified. Once a controller password is identified, the attacker is able to communicate with the controller and make disruptive changes.
A CVSS v3 base score of 9.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-7898 and CVE-2017-7903 have been assigned to this vulnerability.
Vulnerability #2: Firmware Tampering
Series C versions of MicroLogix 1400 firmware (FRN 21.00 and later) are digitally signed, whereas Series A and B are NOT digitally signed. When a new version of firmware is uploaded to the Series C product, the update will only proceed if the firmware’s digital signature is determined to be authentic.
A CVSS v3 base score of 8.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability #3: TCP Sequence Prediction Attack
An unauthorized, remote attacker has the potential to send counterfeit packets to a target host by predicting the TCP initial sequence numbers. The attacker may spoof or disrupt TCP connections that could potentially cause a Denial of Service to the target.
A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L
CVE-2017-7901 has been assigned to this vulnerability.
Vulnerability #4: Improper Nonce Usage
A vulnerability exists in the HTTP Digest Authentication implementation that could allow an unauthorized, remote attacker to observe a valid HTTP request and replay that request back to the server. The attacker needs to observe an actual HTTP request that they wish to replay back to the server. The impact to this attack is limited to the functions that the web server has exposed.
A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CVE-2017-7902 has been assigned to this vulnerability.
Vulnerability #5: User Credentials Sent via GET method
Ilya Karpov reported to Rockwell Automation that form values, including user credentials, are sent to the web server via an HTTP GET method, which may also log the credentials in network monitoring tools. An attacker with access to these logs could potentially harvest these passwords, which may further allow the attacker access to the webserver, or other systems that share the same user credentials.
A CVSS v3 base score of 3.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVE-2017-7899 has been assigned to this vulnerability.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using affected products are encouraged to update to the latest firmware version that addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.
Customers who are unable to update their software are directed towards risk mitigation strategies provided in this document below. Where feasible, additional precautions and risk mitigation strategies, like those listed below, are similarly recommended. Employ multiple strategies when possible.
| Product Family | Catalog Numbers | Vulnerabilities Remediated | Suggested Actions |
| MicroLogix 1400, Series C | 1766-L32AWA | All Vulnerabilities | -If possible, it is recommended to upgrade to Series C, FRN 21 or later which utilizes digitally signed firmware. If unable to upgrade to Series C, it is recommended to combine updating to FRN 21 for Series B along with other risk mitigations described below. |
| MicroLogix 1400, Series B | 1766-L32AWA | Series B, FRN 21.00: Vulnerabilities 1, 3, 4, 5 | -Apply FRN 21 or later for Series B, and combine with other risk mitigations (Downloads) |
| MicroLogix 1400, Series A | 1766-L32AWA | None | -Disable the web server. See item #1 below for details |
| MicroLogix 1100 | 1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD | None | -Disable the web server. See item #1 below for details -Apply the additional mitigations below |
- Disable the web server on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
- Set the mode to RUN via LCD soft keyswitch to prohibit any re-enabling of the web server while the keyswitch is in this mode. This also protects against unauthorized firmware upgrades.
GENERAL SECURITY GUIDELINES
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
- Security Advisory Index, Knowledgebase article 54102
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details |
| 25-April-2017 | 1.0 | Initial release. |
KCS Status
Released
Published Date:
April 04, 2017
Last Updated:
April 04, 2017
CVE IDs:
CVE-2015-1787, CVE-2014-0195, CVE-2014-2109, CVE-2014-3566, CVE-2016-1344, CVE-2015-7702, CVE-2015-7871, CVE-2014-2106, CVE-2015-0207, CVE-2016-6393, CVE-2014-3360, CVE-2014-2112, CVE-2016-6380, CVE-2015-7691, CVE-2015-7692, CVE-2015-7849, CVE-2015-0290, CVE-2014-0224, CVE-2015-7701, CVE-2014-3470, CVE-2014-2113, CVE-2014-2108, CVE-2015-7704, CVE-2016-6415, CVE-2014-2111, CVE-2015-0642, CVE-2015-1798, CVE-2014-0221, CVE-2015-0292, CVE-2015-0293, CVE-2015-7854, CVE-2014-0076, CVE-2015-0646, CVE-2014-3361, CVE-2016-6381, CVE-2016-1409, CVE-2015-7855, CVE-2015-0291, CVE-2015-7850, CVE-2016-6384, CVE-2014-3356, CVE-2014-3354, CVE-2014-3355, CVE-2014-3299, CVE-2015-7848, CVE-2015-0289, CVE-2015-7705, CVE-2015-7703, CVE-2015-7851, CVE-2015-1799, CVE-2016-6382, CVE-2014-3359, CVE-2015-0287, CVE-2010-5298, CVE-2015-7852, CVE-2015-0209, CVE-2015-0288, CVE-2015-0285, CVE-2014-0198, CVE-2015-0643, CVE-2015-7853, CVE-2016-1350
Products:
Stratix 5900 Services Router
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5900 Security Updates
Description
Version 1.0 - April 4, 2017
Cisco Systems, Inc. ("Cisco") has reported that several vulnerabilities exist in versions the Stratix® 5900 Services Router software. The Stratix 5900 Services Router is capable of providing bridging, multi-protocol routing, and remote access services in industrial control systems.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
Stratix 5900, All Versions prior to 15.6.3
VULNERABILITY DETAILS
Rockwell Automation evaluated the vulnerabilities using the Common Vulnerability Scoring System ("CVSS") v3.0.
Security Advisories that Affect this Release
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation has provided firmware version v15.6.3 as remediation for these vulnerabilities.
| Product Name | Catalog Number | Suggested Actions |
| Stratix 5900 Services Router | 1783-SRKIT | Update to v15.6.3 (Download) |
Customers using affected products are encouraged to update to this latest version, which addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks.
Customers who are unable to update their software are directed toward risk mitigation strategies provided below.
Where feasible, it is recommended to use the additional precautions and risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously. Please click "Subscribe for Updates" in the upper right corner if you would like an email notification when this advisory is updated.
GENERAL SECURITY GUIDELINES
1. Help minimize any unnecessary network exposure by assessing all control system devices and/or systems, and confirm that firmware is kept up to date
2. Use proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance offers an Intrusion Prevention System and an Intrusion Detection (IDS/IPS) System, and Deep Packet Inspection (DPI) technology of the Common Industrial Protocol (CIP). With the introduction of this new product, Rockwell Automation can offer customers an intrusion detection system to provide real-time visibility in the event that a vulnerability is being exploited. The Stratix 5950 Security Appliance uses Cisco FirePOWER™ technology, which allows created rules to be processed by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged using IDS or blocked using IPS. For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document.
For additional information on deploying the Stratix 5950, please see our Deploying Industrial Firewalls within a CPwE Architecture Guide.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
Security Advisory Index, Knowledgebase article KB:54102
Industrial Firewalls within a CPwE Architecture
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
·
KCS Status
Released
Medium
Published Date:
April 04, 2017
Last Updated:
April 04, 2017
CVE IDs:
CVE-2017-6024
Products:
ControlLogix 5580 and Compact Logix 5380 Progammable Automation Controller
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service
Description
Version 1.0 - April 4, 2017
A vulnerability exists in certain ControlLogix® 5580 and CompactLogix™ 5380 Programmable Automation Controllers that, if successfully exploited, can cause a Denial of Service ("DoS") condition due to memory and/or resource exhaustion. These Programmable Automation Controllers are used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
Note: Firmware versions (for all products) prior to FRN 28.011 are not affected by this vulnerability.
ControlLogix 5580 controllers V28.011, V28.012, and V28.013.
ControlLogix 5580 controllers V29.011.
CompactLogix 5380 controllers V28.011.
CompactLogix 5380 controllers V29.011.
VULNERABILITY DETAILS
This vulnerability may allow an attacker to intentionally send a series of specific CIP-based commands to the controller and cause either:
1. A Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service condition.
2. An inability to establish new communication connections, while the attack takes place, resulting in a temporary Denial of Service condition.
This vulnerability is remotely exploitable through CIP-based networks, including EtherNet/IP. At this- time, there is no publicly known code to exploit this vulnerability. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system, and other controls a user may have in place.
CVE-2017-6024 has been assigned to this vulnerability. A CVSS v3 base score of 6.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk.
| Type of Controller | Product Family | Catalog Numbers | Suggested Actions |
| Standard Controller | ControlLogix 5580 | All Catalog Numbers in the ControlLogix 5580 Family | Update to FRN 30.011 or later (Download) |
| Small Controller | CompactLogix 5380 | All Catalog Numbers in the CompactLogix 5380 Family | Update to FRN 30.011 or later (Download) |
GENERAL SECURITY GUIDELINES
1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
2. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
3. Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
· 54102 - Industrial Security Advisory Index
· Industrial Firewalls within a CPwE Architecture
· Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
KCS Status
Released
High
Published Date:
February 16, 2017
Last Updated:
February 16, 2017
Products:
Connected Components Workbench
CVSS Scores:
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 - February 16, 2017. Initial Release.
Revision History
Revision Number
2.0
Revision History
Version 2.0 - April 09.2020. Corrected mitigation versions from v9.01 to V12.
Introduction
Connected Components Workbench™ Software Dynamic Link Library ("DLL") Hijack
Executive Summary
Rockwell Automation received a report from independent researcher Ivan Javier Sanchez about a vulnerability in the Connected Components Workbench™ ("CCW") software. CCW is a design and configuration software that helps simplify standalone machine development by offering a single environment for controller programming, device configuration and visualization. DLL hijacking is a known and documented vulnerability that affects software running on Microsoft® Windows operating systems. The effects of this attack can range from a denial-of-service ("DoS"), to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.
As of this announcement, there is no known publicly available exploit code relating to this vulnerability.
Version 2.0 Update:
Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, reporting that additional versions of CCW continued to be affected by this vulnerability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- Connected Components Workbench - Developer Edition, v11.00.00 and earlier
- Connected Components Workbench - Free Standard Edition, v11.00.00 and earlier
Vulnerability Details
Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim’s affected personal computer (PC). Such access rights can be at the same, or potentially higher, level of privileges as the compromised user account, including and up to computer administrative privileges.
DLL hijacking requires user interaction and thus cannot be exploited remotely. The exploits are triggered only when a local user runs the vulnerable application, which then loads the untrusted DLL file in place of the real DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run at an application with the untrusted file, or to access a malicious webpage that is susceptible to browser redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer in place of the intended DLL.
The impacts of a successful DLL hijacking attack can range from a software crash (i.e. Denial-of-Service), which would require a restart, to the injection of malicious code into trusted processes. The impact of an attack that injects malicious code is highly dependent on both the type of code included in the attack, as well as any mitigations than the user may already employ. If the software is running as a high-privileged user, any injected code will also execute with those high privileges. The malicious code can also access process memory space that stores sensitive information or additional services that may be manipulated by the modified DLL.
A CVSS v3 base score of 7.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using versions of affected software are encouraged to take the following actions:
- Apply Connected Components Workbench – Developer Edition v12.00.00 (Download) or Connected Components Workbench – Free Standard Edition v12.00.00 (Download).
- Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1498 / Article ID 1125780.
- Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1499 / Article ID 1125782.
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or another whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
High
Published Date:
February 14, 2017
Last Updated:
February 14, 2017
CVE IDs:
CVE-2016-5814
Products:
RSLogix 500
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLogix 500® and RSLogix™ Micro File Parser Buffer Overflow
Description
Version 1.1 - FEBRUARY 14 - 2017
UPDATE: Feb 14, 2017 Rockwell Automation has released a new version of software, v11.00.00, which contains the remediation for this vulnerability. Affected customers are encouraged to update to the most recent release to take advantage of the latest security patches.
In June 2016, Rockwell Automation was notified by ICS-CERT of a buffer overflow vulnerability that exists in its RSLogix™ Micro Starter Lite product, a free starter programming software used to program logic for the Allen-Bradley MicroLogix™ product family.
This vulnerability is not remotely executable, and successful social engineering is required to convince a victim of using the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the logged-in user. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. Currently, there is no publicly available exploit code relating to this vulnerability.
Rockwell Automation has evaluated the report and confirmed the existence of this vulnerability in RSLogix™ Micro Starter Lite. We further investigated and confirmed this vulnerability in the additional versions of RSLogix 500® and RSLogix™ Micro. We have released updated software to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- RSLogix™ Micro Starter Lite, Versions 10.00.00 and earlier
- RSLogix™ Micro Developer, Versions 10.00.00 and earlier
- RSLogix 500® Starter Edition, Versions 10.00.00 and earlier
- RSLogix 500® Standard Edition, Versions 10.00.00 and earlier
- RSLogix 500® Professional Edition, Versions 10.00.00 and earlier
A patch for v8.40.00 is available now and is only for v8.40.00, links are provided below. The remediation will also be available in the next major revision of the software. This advisory will be updated when additional versions are available.
VULNERABILITY DETAILS
The discovered vulnerability exists in the code that opens and parses the RSLogix 500 and RSLogix Micro project files, identified by the RSS extension. In order for this vulnerability to be exploited in RSLogix 500 and RSLogix Micro, an attacker must create a malicious RSS file, which is the native file format for this software package. If the malicious project file is opened by an affected version of the product, the buffer overflow condition is exploited. Likewise, if the attack is successful, the unknown code will run at the same privilege level as the user who is logged into the machine.
Exploitation of this vulnerability requires the attacker to successfully convince a user to open a modified project file on their machine.
Potential impacts from a successful attack could include a software crash (for example, Denial of Service) which then requires a software restart. However, in more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
CVE-2016-5814 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS v3 vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
RISK MITIGATIONS
The following precautionary measures are recommended as additional risk mitigation strategies for this type of attack. If possible, multiple strategies should be employed simultaneously.
- Do not open untrusted .RSS files with RSLogix 500 and RSLogix Micro.
- Customers using affected versions of RSLogix 500 and RSLogix Micro are encouraged to apply the patch that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. (Note: Patch is for v8.40.00 ONLY! Do NOT apply to other versions!)
Product Family Catalog Numbers Software Versions Suggested Actions RSLogix Micro 9324-RLMx 8.40.00
878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
RSLogix Micro 9324-RLMx Versions 10.00.00 and earlier Update to V11.00 or later (Download) RSLogix 500 9324-RL0x 8.40.00
878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
RSLogix 500 9324-RL0x Versions 10.00.00 and earlier Update to V11.00 or later (Download) - Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at 546989 - Using Rockwell Automation Software Products with AppLocker .
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
54102 - Industrial Security Advisory Index
878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
ICS-CERT Advisory ICSA-16-224-02
·
Revision History:
14-FEB-2017 Version 1.1 Added details for V11.00.00.
KCS Status
Released
Medium
Published Date:
December 01, 2016
Last Updated:
December 01, 2016
CVE IDs:
CVE-2016-9338, CVE-2016-9334
Products:
MicroLogix Controller
CVSS Scores:
6.5, 2.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix Controller Vulnerabilities
Description
Version 1.0 - December 1, 2016
Rockwell Automation® was notified of several vulnerabilities discovered in the MicroLogix™ 1100 and MicroLogix 1400 versions of the product family. MicroLogix is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems.
As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector had the potential to affect other Rockwell Automation product platforms.
Details relating to these vulnerabilities, the known affected platforms, and recommended countermeasures are contained herein.
AFFECTED PRODUCTS
- 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.004 and earlier.
- 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.
VULNERABILITY DETAILS
Vulnerability #1: Hardcoded Usernames
Hardcoded username credentials on the MicroLogix 1100 and MicroLogix 1400 PLCs can reduce the effort required to obtain the full set of user credentials, which could allow unauthorized administrative access to device configuration options available through the web interface.
A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability #2: Information Disclosure
Ilya Karpov reported to Rockwell Automation that user credentials, along with other information exchanged between browser and webserver are sent in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server.
CVE-2016-9334 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability #3: Incorrect Permission Assignment for Critical Resource
Ilya Karpov reported to Rockwell Automation that a vulnerability exists in those instances where a user with administrator privileges goes to a specific link and remove all administrative users from the functional web service. A factory reset is required to remove the improper changes and restore the web service to this product.
CVE-2016-9338 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
RISK MITIGATIONS
Customers using affected versions of the MicroLogix 1400 and MicroLogix 1100 PLCs are encouraged to update to the newest available software versions that address associated risks and include added improvements to further help harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.
Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. Employ multiple strategies when possible.
- Update supported products based on this table:
Product
FamilyCatalog
NumbersHardware Series
Vulnerabilities Remediated Suggested Actions MicroLogix 1100 1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWDSeries B Vulnerability #3:
Permanent DoS- Apply FRN 15.000 or higher (Downloads)
- Disable the web server. See Item #2 below for details.
- Apply the additional mitigations described below.1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWDSeries A None - Disable the web server. See Item #2 below for details.
- Apply the additional mitigations described below.MicroLogix 1400 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBASeries B All Vulnerabilities - Apply FRN 16.000 (Downloads)
- Disable the web server. See Item #2 below for details.
- Apply the additional mitigations below.1766-L32AWA
1766-L32AWAA
1766-LK32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBASeries A None - Disable the web server. See Item #2 below for details.
- Apply the additional mitigations belowmitigations below. - Disable the webserver on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
- Set the keyswitch to RUN to prohibit any re-enabling of the web server while the keyswitch is in this mode.
- Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
- We also recommend concerned customers continue to monitor this advisory, 54102 - Industrial Security Advisory Index and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation’s network and security services to enable assessment, design, implementation and management of validated, secure network architectures. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
KCS Status
Released
Medium
Published Date:
June 23, 2016
Last Updated:
June 23, 2016
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
5.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
Version 1.0 - June 23, 2016
On May 13, 2016, Cisco disclosed a vulnerability in their Industrial Ethernet 4000 and 5000 Series switches. This vulnerability also impacts the Allen-Bradley Stratix® 5400 Industrial Ethernet Switches and the Allen-Bradley Stratix® 5410 Industrial Distribution Switches containing particular versions of IOS firmware. The discovered vulnerability is remotely exploitable and may allow an attacker to corrupt a subsequent packet traversing the device. At this time, both Rockwell Automation and Cisco are unaware of any publicly available exploit code.
Customers using affected versions of this software are encouraged to upgrade to the newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- Stratix 5400, Versions 15.2(2)EA1, 15.2(2)EA2
- Stratix 5410, Versions 15.2(2)EB
No other Rockwell Automation Stratix products are currently known to be affected by this vulnerability. Stratix 5400 and Stratix 5410 Switches running any versions other than those listed above are not affected by this vulnerability.
To determine if your Stratix 5400 switch or Stratix 5410 switch is using the above firmware, please refer to KB55484: Upgrading or verifying Stratix Firmware.
VULNERABILITY DETAILS
A vulnerability in the packet processing microcode of Stratix 5400 and Stratix 5410 switches could allow an unauthenticated, remote attacker to corrupt packets enqueued on the device for further processing.
The vulnerability is due to improper processing of some Internet Control Message Protocol ("ICMP") IPv4 packets. An attacker could exploit this vulnerability by sending ICMP IPv4 packets to an affected device. A successful exploit could allow an attacker to corrupt the packet enqueued for transmission immediately after the anomalous packet. This may impact control traffic to the device itself (Address Resolution Protocol (ARP) traffic) or traffic transiting the device.
Cisco’s product security disclosure for their Industrial Ethernet 4000 and 5000 Series switches is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160513-ies
A CVSS v3 base score of 5.8 has been assigned to this vulnerability by Rockwell Automation. The CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N).
CUSTOMER RISK MITIGATIONS AND REMEDIATION
Customers using affected versions of the Stratix 5400 and Stratix 5410 software are encouraged to upgrade to the newest available versions that address associated risk with this vulnerability. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Upgrade affected products per the table below:
Product Hardware Series Mitigations Stratix 5400 Industrial Ethernet Switches Series A Apply version 15.2(4)EA3 or newer (Download) Stratix 5410 Industrial Distribution Switches Series A Apply version 15.2(4)EA3 or newer (Download)
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
KCS Status
Released
High
Published Date:
June 21, 2016
Last Updated:
June 21, 2016
CVE IDs:
CVE-2016-4522, CVE-2016-4531
Products:
FactoryTalk EnergyMetrix
CVSS Scores:
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
Version 1.0 - June 21, 2016
Rockwell Automation has internally discovered and remediated two authentication-based vulnerabilities in the Rockwell Software FactoryTalk® EnergyMetrix™ product. FactoryTalk EnergyMetrix is a web-enabled management software package that gives you access to critical energy information, and allows you to capture, analyze, store, and share energy data with key stakeholders using a standard web browser.
The first vulnerability concerns user credentials that are not immediately invalidated after an explicit logout action is performed by the user, which may allow an attacker to use these credentials in perpetuity. The second vulnerability is an SQL Injection vulnerability which may allow an attacker to access the FactoryTalk EnergyMetrix system without valid user credentials. Both vulnerabilities are exploitable remotely. At this time, there is no known publicly available exploit code relating to the vulnerabilities.
Rockwell Automation has examined associated vectors and revised product software has been released to address risks. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- FactoryTalk EnergyMetrix v2.10.00 and earlier
VULNERABILITY DETAILS
Authenticated User Token Remains Valid after Logout
When a user explicitly logs out of their FactoryTalk EnergyMetrix account, their authentication token is not immediately invalidated by the system. An attacker who obtained this token would be able to access the FactoryTalk EnergyMetrix system at the same privilege level as the user, by resending the captured token with their request.
CVE-2016-4531 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
SQL Injection
A SQL injection vulnerability allows privilege escalation by an anonymous user, which can result in access to administrative functions of the FactoryTalk EnergyMetrix system. A successful attack results in privileged access to the application and its data files but not to the underlying computer system. The impact of this vulnerability is highly dependent on the user’s environment and the level of privilege the web server service account has with its associated database.
CVE-2016-4522 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable. When possible, multiple strategies should be employed simultaneously.
- Customers using affected versions of FactoryTalk EnergyMetrix software are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks.
Product Family Catalog Numbers Software Versions Suggested Actions FactoryTalk EnergyMetrix 9307-FTEM* V2.10.00 and earlier Apply version 2.20.00 or later; Version 2.30 or later is recommended. (Downloads) - Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Configure and enable HTTPS on your EnergyMetrix server, which protects the confidentiality and integrity of information exchanged between the web browser and server.
- Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
LINKS
KCS Status
Released
Published Date:
September 17, 2015
Last Updated:
September 17, 2015
Products:
MicroLogix Web Redirect
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix Web Redirect Vulnerability
Description
September 17, 2015 - Version 1.0
On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 product family. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public. ICS-CERT published an alert (ICS-ALERT-15-225-02A) to cover this vulnerability.
As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability in the MicroLogix 1400, and further discovered and reproduced the vulnerability in the MicroLogix 1100 product family. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.
Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.
AFFECTED PRODUCTS
- 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.002 and earlier.
- 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.
Rockwell Automation will resolve this vulnerability in the next minor revision of product firmware, currently expected to be available in the October 2015 timeframe. This advisory will be updated to provide upgrade information when it is available.
VULNERABILITY DETAILS
The vulnerability in the MicroLogix’s webserver allows an attacker to inject arbitrary web content into an unsuspecting user’s web browser by using a built-in feature to "redirect" outside web content into the product’s web pages. This outside web content could contain malicious content that would target the web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the MicroLogix itself. Instead, the MicroLogix is used as a vehicle to deliver an attack to a device running a web browser.
A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.
RISK MITIGATIONS
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
KCS Status
Released
Medium
Published Date:
April 30, 2015
Last Updated:
April 30, 2015
Products:
RSView32
CVSS Scores:
4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSView32 Weak Encryption Algorithm on Passwords
Description
April 30, 2015 - Version 1.0
A vulnerability has been discovered by Vladimir Dashchenko and Dmitry Dementjev, Information Security Analysts at Ural Security System Center (USSC), in the encryption approach used by specific versions of RSView32 software to protect the contents of a file containing user-defined passwords. The passwords stored within the file are used to authenticate users in order to grant access to the software and user-created content.
Rockwell Automation has verified the validity of Mr. Dashchenko and Dementjev’s discovery and a software patch has been release for RSView32 that enhances the security of the mechanism used to create, manage and make-use of user-defined passwords by the software. Customers who continue to use affected versions of the software are encouraged at a minimum to apply this patch, or migrate to more contemporary Rockwell Automation solutions. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
The following software has been confirmed to be susceptible to the reported vulnerability:
| Software Name | Version |
| RSView32 | All software versions up to and including RSView32 - 7.60.00 (CPR9 SR4) |
VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS
A vulnerability has been discovered in the encryption approach used by RSView32 to create a password storage file used with the software.
User-defined usernames and passwords for RSView32 are stored within the users.act file. The associated weakness in the file is a result of the software using a weak and outdated encryption algorithm. The technology weakened password complexity prior to encrypting the password. In addition, the algorithm’s strength has decreased over time as compared to more contemporary encryption technologies. Content encrypted with this older algorithm, such as the users.act file, may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can be learned.
For such exposure, an attacker must first gain access to the specific password storage file, or to a copy of the file that is stored local to the RSView32 product. In order to gain such access, the security of the local machine would need to be compromised in some way to allow local or remote access, or some form of successful social-engineering would be needed to convince a victim to grant access to, or supply the particular file to a malicious third party. To make use of the passwords to access user-defined RSView32 protected content, an attacker would similarly need to reverse-engineer the decryption algorithm to learn the plain text, before being able to authenticate and gain access to that protected content.
At this time there is no known publicly available exploit code.
CUSTOMER RISK MITIGATION AND REMEDIATION
A software patch has been released for RSView32 to mitigate risk associated with the discovered vulnerability. Customers using affected versions of the RSView32 are encouraged to apply this patch and take added precautions as outlined herein.
Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Apply the following patch if using an affected software version:
Software
Catalog Number
Affected Software
Recommendation
RSView32
9301-2SEx
All software versions
prior to, not including
RSView32 - 7.60.00 (CPR9 SR4)>>> Apply reference software patch:
RSView32 - 7.60.6.11
https://rockwellautomation.custhelp.com
/app/answers/detail/a_id/635640 - Limit access to assets with RSView32 and other software only to authorized personnel.
- Restrict network access to assets with RSView32 and other software as appropriate.
- Use trusted software and software patches that are obtained only from highly reputable sources.
- Interact with, and only obtain software and software patches from trustworthy websites.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
- Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
- Maintain layered physical and logical security, defense in depth design practices for the ICS.
- Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
- Upgrade the affected product to a more contemporary, in-support product and compatible operating system; Establish a patch management and product upgrade strategy too*
*ONGOING RISKS AND PRODUCT MIGRATION
The RSView32 product has inherent technical limitations that are likely to make subsequent security patches more difficult, if not altogether infeasible in the future. Furthermore, RSView32 is not compatible with certain contemporary versions of the Microsoft Windows® operating system. While this particular product patch helps to mitigate a very specific security risk, it has no positive effect on other known and unknown vulnerabilities in the Windows OS on which the product is installed and operates. In addition, some Windows versions (with which the product still operates) are no longer in support by the manufacturer, yet they are known to be highly susceptible to a variety of significant, unpatchable security risks.
We recommend customers consider upgrading their software and compatible operating systems to more contemporary versions everywhere possible. In parallel, customers should adopt measures to keep products current and patched.
For those customers who choose to continue using RSView32, we strongly recommend they upgrade the operating system on which the product runs to a compatible version that is as current as possible and is still in support by the manufacturer. When this compatibility can no longer be assured, or the operating system support expires, Rockwell Automation stands ready to help our customers migrate to contemporary solutions as we also help protect and leverage their previous investments.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Medium
Published Date:
April 20, 2015
Last Updated:
April 20, 2015
Products:
RSLinx Classic (Single Node
CVSS Scores:
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLinx Classic File Input Buffer Overflow in OpcTest.exe
Description
April 20, 2015 - version 1.0
A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in a non-critical software component distributed with certain versions of the RSLinx Classic product. The included executable, OpcTest.exe, is a test client for RSLinx’s support of the OPC-DA protocol. The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the test client to open an untrusted, specifically modified CSV file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as OpcTest.exe. At this time there is no known publicly available exploit code.
Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and a new software release has been issued for RSLinx Classic that includes a new version of OPCTest.exe to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
The following software has been confirmed to be susceptible to the reported vulnerability:
| Software Name | Version |
| RSLinx Classic | All versions prior to, not including 3.73.00 |
VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS
OpcTest.exe has a capability to import a comma-separated values (CSV) file, containing lists of tags and groups, so that the software user can easily subscribe to these items from the RSLinx Classic software. The discovered vulnerability is within the OpcTest.exe code that parses this CSV content. In certain cases where a uniquely crafted or altered file is used, the OpcTest.exe parser code execution can encounter a buffer overflow, which has potential to modify the stack and allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.
Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace CSV files with specifically created or modified CSV files that have been constructed to use this buffer overflow condition to successfully execute malicious code.
Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
CUSTOMER RISK MITIGATION AND REMEDIATION
Customers using affected versions of the RSLinx Classic are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Do not open untrusted CSV files with OPCtest.exe
- Upgrade affected products as follows:
Software Catalog Number Affected Software Recommendation RSLinx Classic 9355-WABSNENE; 9355-WABOEMENE; 9355-WABGWENE All software versions prior to 3.72.00.01 >>> Upgrade to 3.73.00 or higher (available now)
- Limit access to those assets with RSLinx Classic and other software to authorized personnel.
- Run all software as User, not as an Administrator.
- Restrict network access to assets with RSLinx Classic and other software as appropriate.
- Use trusted software and software patches that are obtained only from highly reputable sources.
- Interact with, and only obtain software and software patches from trustworthy websites.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
- Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
- Maintain layered physical and logical security, defense in depth design practices for the ICS.
- Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Medium
Published Date:
February 12, 2015
Last Updated:
February 12, 2015
Products:
FactoryTalk View SE, FactoryTalk View ME
CVSS Scores:
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Services Platform and FactoryTalk View Studio DLL Hijacking Vulnerability
Description
February 12, 2015 - version 1.0
A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in software components that comprise and are shared by the FactoryTalk Services Platform used in FactoryTalk-branded product and FactoryTalk View Studio.
These vulnerabilities are not exploitable remotely without user interaction. The exploits are only triggered when a local user runs the vulnerable application, and it loads the malformed DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run an untrusted file or to access a malicious webpage using a browser susceptible to redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer.
At this time there is no known publicly available exploit code.
Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and released new FactoryTalk Services Platform and FactoryTalk View Studio software to address associated risk. Customers using affected versions of this software are encouraged to upgrade to the newest available software versions or apply appropriate patches as indicated below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
The following software has been confirmed to be susceptible to the reported vulnerability:
| Software Name | Version | Verify Software Version Method |
| FactoryTalk Services Platform (FTSP) | All versions prior to and not including 2.71 | Software version can be verified using Windows Add/Remove programs utility |
| FactoryTalk View Studio | Version 8.00.00 and all prior versions | Software HelpAbout |
VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS
It was discovered that certain DLLs (Dynamic Link Library) that are included with older versions of FactoryTalk Services Platform and View Studio software can be potentially hijacked to allow an attacker to gain access rights to a victim’s affected PC. Such access rights can be at the same, or potentially higher level of privileges as the compromised user account, including up to computer administrative privileges.
DLL hijacking is a known and documented vulnerability affecting Microsoft Windows operating systems. Exploitation of this vulnerability typically requires social engineering to successfully introduce a malicious DLL onto a target computer and within a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.
To exploit this vulnerability, an attacker would either have to breach account access or get someone to install software or a specific DLL that was not approved. The malicious DLL would need to be installed onto the target computer in a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.
When a DLL vulnerability is exploited, trusted software can unknowingly load an untrusted DLL in place of the intended DLL. Its effects can range from a software crash (i.e. Denial of Service) requiring software restart, to more significant events such as the injection of malicious code into trusted processes. The malicious code can also access process memory space that may store sensitive information or additional services that may be manipulated by the modified DLL.
CUSTOMER RISK MITIGATION AND REMEDIATION
Although there are no known exploits at this time, customers using affected versions of the FactoryTalk Services Platform and View Studio are encouraged to upgrade to the newest available software versions where possible, or to apply appropriate patches.
Upgrade affected products as follows:
| Software | Catalog Number | Affected Firmware | Recommendation | |
| FactoryTalk Services Platform (FTSP) | N/A | All software versions prior to and not including 2.71.00 | >>> | Upgrade to V2.71.00 or higher (available now) If an upgrade is not currently possible, apply Patch V2.70.00: KB#631115 Note: This software is included with Studio 5000™ software Version 24 and higher. |
| FactoryTalk View Studio | 9701-VWSS000LENE | Version 8.00.00 and all prior versions | >>> | Apply software patch for V8.00.00 or higher: KB#631115 Note: When available, FactoryTalk View Studio V8.10.00 will include this standalone software patch. |
If a patch is not available for your system, customers are still advised to maintain good practices to not allow unauthorized access/software in their production systems.
Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Limit access to those assets with FactoryTalk branded software, including View Studio and other software to authorized personnel
- Run all software as User, not as an Administrator
- Restrict network access to assets with FactoryTalk branded software, including View studio and other software as appropriate
- Use trusted software and software patches that are obtained only from highly reputable sources.
- Interact with, and only obtain software and software patches from trustworthy websites.
- Where possible, run only the newest versions of reputable web browsers that include enhanced protections against browser redirection.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
- Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
- Maintain layered physical and logical security, defense in depth design practices for the ICS
- Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
November 03, 2014
Last Updated:
November 03, 2014
Products:
Connected Components Workbench
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Connected Components Workbench (CCW) ActiveX Component Vulnerability
Description
Original Release: October 14, 2014 - Version 1.0
November 3, 2014 - Version 1.1 (UPDATE-A)
<<< START UPDATE-A >>>
A vulnerability has been reported affecting two custom ActiveX components provided with the Connected Components Workbench (CCW) software. If exploited, it will crash a targeted component and it can potentially allow for arbitrary code injection on the computer hosting the component. The vulnerability is both locally and remotely exploitable via a successful social engineering attack, such as an attack that targets a victim or victims via a phishing campaign. At this time there is no known publicly available exploit code.
<<< END UPDATE-A >>>
Rockwell Automation has verified the validity of the vulnerability claim and released a new software build, Version 7.00.00 to address associated risk. In parallel, other CCW software components in this new build have been bolstered as a result of the company’s focus on security-quality and continuous improvement. All customers using CCW software prior to Version 7.00.00 are strongly encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.
AFFECTED PRODUCTS
- All software versions prior to and including Version 6.01.00 of Connected Component Workbench (CCW) Software
Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.
EXPOSURE
- All computers with Connected Component Workbench (CCW) Software Version 6.01.00 and earlier.
Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.
<<< START UPDATE-A >>>
VULNERABILITY DETAILS
The reported CCW ActiveX vulnerability is the result of a software coding error that was further compounded by the use of an older version of a compiler used to create the custom ActiveX components. The vulnerability allows an attacker to send an arbitrary, out of range value to a particular property of an affected ActiveX component to crash its operation and then potentially allow for an execution of unauthorized code on the computer hosting the software.
Neither the CCW software, nor the vulnerable ActiveX components necessarily need to be running for an attack to be successful.
The attack vector to exploit this vulnerability first requires a user with local access to the computer containing both a susceptible ActiveX component and a container to either knowingly or unknowingly execute some form of malicious code. Such code could likely be delivered via the loading of an infected webpage or some document opened in a web browser or other container capable of running ActiveX controls. A plausible attack scenario could begin with a phishing attack, whereby a victim is convinced to open and run a malicious HTML file or other such infected file, or to visit a maliciously-altered webpage that has been tailored to specifically exploit this vulnerability in an affected ActiveX component.
<<< END UPDATE-A >>>
Potential impacts from a successful attack could include a simple crash of CCW software (e.g. Denial of Service), thereby requiring a software restart to recover from the crash. In more extreme cases, the victim may not even be aware of vulnerability exploitation since neither CCW nor an affected ActiveX component needs to be running for an attacker to inject malicious code to the susceptible software component. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
RISK MITIGATION AND REMEDIATION
A new version of CCW software, Version 7.00.00 has been released to address associated risk with the vulnerability in the affected ActiveX components. This same software release also includes added software improvements to enhance product security and resilience against similar malicious attacks. All customers using CCW software are encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience.
The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.
- Upgrade Connected Component Workbench (CCW) software as follows:
Software
Catalog Number
Affected Firmware
Recommendation
Connected Component Workbench (CCW) Software
CCW - Free and Developer Edition (Dev Ed)
All CCW software versions prior to, and including Version 6.01.00
Upgrade to CCW Version 7.00.00 or higher
(available now).
Refer to additional recommended risk mitigations as provided herein.
Current CCW software can be obtained here:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Product Search: CCW Version: 7.00.00 (or higher)
- Limit access to computers with Connected Components Workbench (CCW) to only authorized personnel.
- Run Connected Components Workbench (CCW) software as User, not as an Administrator
- Use only trusted software and software patches, and download and interact only with trusted files and webpages.
- Restrict network access for computers that include Connected Components Workbench software.
- Where possible, run newest version of Internet Explorer web browser and other ActiveX containers.
- Where possible, disable ActiveX capabilities in web browsers or consider using browsers without ActiveX support.
- Closely scrutinize any user-prompts received from web browsers or other ActiveX containers.
- Employ layered security, defense-in-depth methods, including administrative controls such as emloyee training and awareness, and technical controls such as network segregation and segmentation practices in the system design to restrict and control access to individual products and control networks.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
September 09, 2014
Last Updated:
September 09, 2014
Products:
MicroLogix 1400 DNP3
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix 1400 DNP3 Denial of Service Vulnerability
Description
September 9, 2014 - Version 1.0
Rockwell Automation was notified by independent researcher Matthew Luallen of CYBATI (https://cybati.org/) and ICS-CERT of a Denial of Service (DoS) vulnerability to the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified Mr. Luallen’s discovery and released revised product firmware to address associated risk. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.
AFFECTED PRODUCTS
In collaboration with Mr. Luallen, Rockwell Automation has determined certain Allen-Bradley MicroLogix 1400 controller platforms are affected by this vulnerability:
- 1766-Lxxxxx Series A FRN 7 or earlier;
- 1766-Lxxxxx Series B FRN 15.000 or earlier
Note: DNP3 communication is disabled by default in the product.
VULNERABILITY DETAILS
DNP3 communication is disabled by default in the MicroLogix 1400 product. If the DNP3 capability is enabled, specific versions of the product become susceptible to a Denial of Service (DoS) attack that can be triggered when the product receives a particular series of malformed packets over its Ethernet or local serial ports that are directed at the link layer DNP3 header.
Successful exploitation of this vulnerability results in a disruption of the DNP3 application layer process and a loss of product communication and availability on the network, thereby resulting in a denial of service condition. Exploitation of the vulnerability can be triggered remotely and the attack is repeatable. Furthermore, the DoS results will be successful regardless of controller’s mode switch setting.
Product recovery from the denial of service condition requires a power cycle, yet the product will remain susceptible to subsequent attacks until the vulnerability is addressed or the threat is adequately mitigated or removed.
RISK MITIGATIONS
A new version of MicroLogix 1400 Series B firmware has been released to address the vulnerability and reduce associated risk to successful exploitation. Subsequent versions of MicroLogix 1400 Series B firmware and newer will incorporate these same enhancements.
The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.
1. Upgrade all MicroLogix 1400 controllers per the following table:
| Controller Platform | Catalog Number | Affected Firmware | Recommendation | |
| MicroLogix 1400 | 1766-L32xxxx | Series B FRN 15.000 and earlier. Series A | à
à | Upgrade to Series B FRN 15.001 or higher (available now). Refer to additional recommended risk mitigations as provided herein. |
| Current firmware for the MicroLogix 1400 Series B platform can be obtained here:
| ||||
2. Do not enable DNP3 communication in the product unless required.
3. Where appropriate, prohibit DNP3 communication that originates outside the perimeter of the Manufacturing Zone from entry into the Zone by blocking communication directed at Ethernet communication port 20000/TCP* and 20000/UDP* using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
*Note: Ports 20000/TCP and 20000/UDP are factory defaults as per the DNP3 specification, but can be reconfigured by the product owner.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
6. Employ layered security, defense-in-depth methods and network segregation and segmentation practices in system design to restrict and control access to individual products and control networks. Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Flagged - Formatting
Medium
Published Date:
November 08, 2013
Last Updated:
November 08, 2013
Products:
Third Party, FactoryTalk Services Platform
CVSS Scores:
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Activation Manager Unnecessary Third-party Service
Description
November 8, 2013 - version 1.0
During the installation of FactoryTalk Activation Manager, a software service from SafeNet Technologies called the Sentinel Local License Manager is automatically installed along with drivers for the USB activation dongles sometimes used with FactoryTalk Activation. These USB dongles are manufactured by SafeNet Technologies.
The Sentinel Local License Manager service is configured to start automatically on the Windows host. Furthermore, the service listens on three (3) communication ports: 1947/TCP, 1947/UDP, and an additional variable UDP port.
Recent evaluation of FactoryTalk Activation manager has determined the Sentinel Local License Manager service is unnecessary when SafeNet USB activation dongles are used with FactoryTalk Activation. The service is also unnecessary or for the operation of any Rockwell Automation products.
Additionally, security testing has identified the Sentinel Local License Manager service may fail when the specific communication ports it listens on become overwhelmed, or when specifically crafted traffic is directed at these ports and the accompanying service. The failure of the Sentinel service is trapped in software. No indications have been observed for potential code injection or successful escalation of privilege on the host.
To date, we are not aware of any known cases of successful exploitation of this vulnerability in FactoryTalk Activation Manager. Furthermore, we are not aware of publicly available proof of concept exploit code.
AFFECTED PRODUCTS
FactoryTalk Activation Manager v3.30 and greater on all Microsoft Windows operating systems is affected.
RISK MITIGATION
Rockwell Automation recommends disabling the SafeNet Sentinel Local License Manager service (hasplms.exe) unless specifically required by a non-Rockwell Automation application. Instructions for performing this operation are found in Knowledge Base (AID:570831). In addition, when a host-based firewall is available, we recommend blocking communication ports 1947/TCP and 1947/UDP on the host computer.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Published Date:
August 02, 2013
Last Updated:
August 02, 2013
Products:
MicroLogix, SLC 500 and PLC5 Controller Vulnerability
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
MicroLogix, SLC 500 and PLC5 Controller Vulnerability
Description
Released: October 26, 2012
Updated: August 2, 2013 <Update A>
On September 14, 2012, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 controller platform. Details relating to this vulnerability, including the existence of exploit code, have been made public by the researcher at various training events. At this time, no known exploit code relating to this vulnerability has been released to the public.
On October 2, 2012 Rockwell Automation independently initiated and maintained direct contact with the researcher to obtain pertinent facts relating to this matter due to lack of sufficient details shared through ICS-CERT. We continue to work with the researcher directly and keep him apprised of the expanded scope of impact from his initial findings.
As a matter of course, Rockwell Automation expanded scope of this evaluation beyond the MicroLogix 1400 platform in order to determine if this same threat-vector has potential to impact other A-B controller platforms. Rockwell Automation has reproduced the vulnerability. Due to the breadth of platforms potentially affected, we have been conducting thorough evaluations to ensure completeness in our risk assessment and mitigation process.
Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.
AFFECTED PLATFORMS
Rockwell Automation has determined the following A-B products are affected by this vulnerability:
MicroLogix 1100 controller
MicroLogix 1200 controller (all versions prior to 13.000)
MicroLogix 1400 controller
MicroLogix 1500 controller (all versions prior to 13.000)
SLC 500 controller platform
PLC5 controller platform
VULNERABILITY DETAILS
MicroLogix Controller Platform
The vulnerability in the MicroLogix controller platform occurs due to inadequate write protection measures on the controller’s Status file.
The MicroLogix controller is susceptible to a remotely exploitable Denial of Service (DoS) attack should it receive certain messages that change specific status bits in the controller’s Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
SLC 500 Controller Platform
The vulnerability in the SLC 500 controller platform occurs when the controller’s Status file property is not set to "Static," thereby allowing changes to the file contents.
When the SLC 500’s Status file is not configured to "Static," the SLC 500 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
PLC5 Controller Platform
The vulnerability in the PLC5 controller platform occurs when the controller’s "Password and Privileges" feature is disabled.
When the Passwords and Privileges feature of the PLC5 controller is not enabled, the PLC5 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.
RISK MITIGATIONS
MicroLogix Controller Platform
<Begin Update A>
| Product | Recommended Action |
| MicroLogix 1100 controller | Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
| MicroLogix 1200 controller | Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
| MicroLogix 1400 controller | Upgrade product firmware to release 14.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
| MicroLogix 1500 controller | Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
<End Update A>
In addition to the above product-level mitigations, Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should be employed simultaneously:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
5. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
We will communicate additional mitigation strategies to our concerned customers should more direct product-level mitigations be developed that can further reduce associated risk from this vulnerability.
SLC 500 Controller Platform
Remote attempts to write data to the SLC 500 platform’s Status file are ignored and discarded by setting the controller’s Status file properties to "Static" via RSLogix 500 software.
Rockwell Automation recommends where possible that the Status file "Static" configuration setting be enabled to reduce the likelihood of successful exploitation of the vulnerability. The "Static" file property setting is configured in the Status File Properties page of RSLogix 500 software.
PLC5 Controller Platform
Remote attempts to write data to the PLC5 platform’s Status file are ignored and discarded by using the controller’s "Password and Privileges" feature, configured via RSLogix 5 software.
Rockwell Automation recommends where possible that the Passwords and Privileges feature be enabled to reduce the likelihood of successful exploitation of the vulnerability.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
High
Published Date:
June 28, 2013
Last Updated:
June 28, 2013
Products:
FactoryTalk Linx / RSLinx Enterprise
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability
Description
April 5, 2013
Updated: June 28, 2013
Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based
Security (www.riskbasedsecurity.com) identified vulnerabilities that affect a software component of the
FactoryTalk™ Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise
software (LogReceiver.exe and Logger.dll). These vulnerabilities have been confirmed to be remotely
exploitable which can lead to termination of affected software services and Denial of Service conditions.
To date, Rockwell Automation is not aware of any known cases of successful exploitation of these
vulnerabilities in operational systems. Furthermore, we are not aware of publicly available proof of
concept exploit code.
Rockwell Automation worked directly with Mr. Eiram to verify his findings, determine root cause and
validate the resulting software patches being issued for the FactoryTalk Services Platform and RSLinx
Enterprise software. Given the company’s focus on continuous improvement, added steps are being taken to
further enhance the development and testing processes associated with these products. As a result,
additional product hardening enhancements have been included in the referenced software patches and will
continue to be deployed via forthcoming product releases.
AFFECTED PRODUCTS
- All FactoryTalk-branded software, including CPR9-SR0 through SR6
- All RSLinx Enterprise software, prior to and including CPR9 and CPR9-SR1 through SR6
VULNERABILITY DETAILS AND IMPACTS
FACTORYTALK SERVICES PLATFORM
(RNADiagnostics.dll)
The software components exhibit a vulnerability as a result of missing input validation and improper
exception handling with streaming data. A specially crafted packet sent to TCP port 5241 will result in
a crash of the RsvcHost.exe service. A successful attack will result in the following:
- Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
- Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe
diagnostic service.
The vulnerability can be exploited remotely from a network-based attack; however, no possibility of
malicious code injection or escalation of privilege on the host machine is known to result from
successful exploitation. There is also no indication that exploitation will directly disrupt operation
of a Rockwell Automation programmable controller, operator interface or other networked device connected
elsewhere in the local control system.
RSLINX ENTERPRISE SOFTWARE
(LogReceiver.exe and Logger.dll)
These software components exhibit a vulnerability as a result of a logic error in the service’s handling
of incoming requests on UDP port 4444 (user-configurable, but not enabled by default) of zero or large
byte datagrams. When successfully exploited, the vulnerability will cause the thread receiving data to
exit, resulting in the service silently ignoring further incoming requests. A successful attack will
result in two respective conditions:
- Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.
- Crash condition that disrupts further execution of the LogReceiver.exe
The vulnerability can be exploited remotely with the potential for code injection; however, no
possibility of escalation of privilege on the host machine is known to result from successful
exploitation. Although theoretical, a possibility of remote code execution has been identified. There
is also no indication that exploitation will directly disrupt operation of a Rockwell Automation
programmable controller, operator interface or other networked device connected elsewhere in the local
control system.
< Update Start>
As a result of additional analysis conducted by Risk Based Security, Inc. of the LogReceiver.exe service, additional enhancements have been made to the LogReceiver.exe to further increase resiliency of the service.
< Update End >
RISK MITIGATION
Software patches for affected FactoryTalk Services Platform and RSLogix Enterprise software are being
released to mitigate associated risk:
| Product Description | Affected Versions | Recommendations |
| FactoryTalk Services Platform (FTSP) | CPR9, CPR9-SR1, CPR9-SR2, | Upgrade to FTSP CPR9-SR5 or newer |
| CPR9-SR5 | Apply patch: AID#522048 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522048 | |
| CPR9-SR5.1 | Apply patch: AID#522049 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522049 | |
| CPR9-SR6 | Apply patch: AID#522052 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522052 |
| Product Description | Affected Versions | Recommendations |
| RSLinx Enterprise | CPR9, CPR9-SR1, CPR9-SR2, | Upgrade to RSLinx CPR9-SR5 or newer |
| CPR9-SR5 | Apply patch: AID# 544798 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/544798 Update: AID# 534705 has been replaced with AID: 544798 which includes additional security enhancements.
| |
| CPR9-SR5.1 | Apply patch: AID# 545535 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545535 Update: AID# 537302 has been replaced with AID: 545535 which includes additional security enhancements.
| |
| CPR9-SR6 | Apply patch: AID#545537 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545537 Update: AID# 535962 has been replaced with AID: 545537 which includes additional security enhancements.
|
Corrective actions have been taken to help ensure subsequent software versions of FactoryTalk Services
Platform, including FactoryTalk Diagnostics, and RSLinx Enterprise will remain free of this
vulnerability.
In addition to applying the above patches, to help further reduce the likelihood of compromise and the
associated security risk, Rockwell Automation recommends the following immediate mitigation strategies.
When possible, multiple strategies should be employed simultaneously:
- The RNADiagReceiver.exe service should only run on servers that will receive diagnostics from PanelView
Plus terminals. It is advisable to disable this service via Microsoft Windows Service Control Panel for
servers that do not require this service. - Configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of
the ICS system:
- 1330
- 1331
- 1332
- 4241
- 4242
- 4445
- 4446
- 5241
- 6543
- 9111
- 60093
- 49281
We also recommend concerned customers remain vigilant and continue to follow security strategies that
help reduce risk and enhance overall control system security. Where possible, we suggest you apply
multiple recommendations and complement this list with your own best-practices:
- Employ layered security and defense-in-depth methods in system design to restrict and control access to
individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for
comprehensive information about implementing validated architectures designed to deliver these measures. - Restrict physical and electronic access to automation products, networks and systems to only those
individuals authorized to be in contact with control system equipment and perform product firmware
upgrades to that equipment. - Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
Concerned customers are encouraged to continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information
relating to this matter.
For more information and for assistance with assessing the state of security of your existing control
system, including improving your system-level security when using Rockwell Automation and other vendor
controls products, you can visit the Rockwell Automation Security Solutions web site at
http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Published Date:
April 02, 2013
Last Updated:
April 02, 2013
Products:
Ethernet/IP Network
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Stratix 5700, 8000 and 8300 Weak Password Vulnerability
Description
April 2, 2013 - version 1.0
Rockwell Automation has become aware of a weak password protection implementation affecting Allen-Bradley brand Stratix™ managed Ethernet switch firmware. This weakness affects Stratix 5700, 8000 and 8300 managed switches products that contain particular versions of IOS® firmware that employ a Type 4 (SHA256) cryptographic password hash algorithm.
Due to an implementation issue in affected IOS versions, a user-provided password that has been hashed using the IOS Type 4 algorithm implementation is less resilient to brute-force attacks than a Type 5 hashed password of equivalent complexity. Successful exploitation of this weakness can lead to unauthorized access to the product.
To date, we are not aware of any known cases of successful exploitation of this vulnerability in Stratix 5700, 8000 or 8300 products. Furthermore, we are not aware of publicly available proof of concept exploit code.
AFFECTED PRODUCTS
The following Stratix managed Ethernet switches are affected:
- Stratix 5700 firmware release 15.0(1)EY1. This firmware ships on all Stratix 5700 catalog items.
- Stratix 8000 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8000. It would reside on a Stratix 8000 only after the product’s initial shipment and only if intentionally downloaded to the hardware.
- Stratix 8300 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8300. It would reside on a Stratix 8300 only after the product’s initial shipment and only if intentionally downloaded to the hardware.
To determine if a Stratix 8000 or Stratix 8300 is using the above firmware, you can reference the software field located on the dashboard of Device Manager or the IOS Release field on the switch status tab located in the RSLogix 5000 Stratix Add on Profile.
RISK MITIGATION
For details and recommended action to mitigate this security vulnerability in products that contain the affected IOS, go to the following Cisco web site.
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4
In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
- Where feasible, use a unique and complex password for products so as to help reduce the risk that multiple products could be compromised as a result of a single password becoming learned.
- Where feasible, adopt password management practices to periodically change product passwords to help mitigate risk for passwords to remain usable for an extended period of time.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
- Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Critical
Published Date:
March 19, 2013
Last Updated:
March 19, 2013
Products:
MicroLogix Controllers
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Client Software Authentication Security Vulnerability in MicroLogix™ Controllers
Description
Original disclosure: December 18, 2009
Updated: January 20, 2010
Updated: March 19, 2013 - version 1.0 (see below)
Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").
Details of this vulnerability are as follows:
The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept data communications between the product and any authorized programming and configuration client to RSEmulate the role of a trusted software client to potentially make unauthorized changes to the Product’s operation.
<START UPDATE>
Added: 20 Jan 2010
RISK MITIGATION
Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful exploitation of the vulnerability.
MicroLogix 1400
Catalog Number
Description
Affected Products
Corrective Firmware
1766-L32xxxx
MicroLogix 1400 controller
Series B FRN 11 or earlier
FRN 12 or higher
Current firmware for MicroLogix can be obtained here:
http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html
<END UPDATE>
<START UPDATE>
Added: 19 March 2013
Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.
In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.
NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.
For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection
<END UPDATE>
Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.
To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):
- Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
- Enable static protection on all critical data table files to prevent any remote data changes to critical data.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
In addition to these immediate risk mitigation strategies, Rockwell Automation is addressing this potential security vulnerability in the Product and associated programming and configuration software. Lastly, Rockwell Automation is committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Critical
Published Date:
January 03, 2013
Last Updated:
January 13, 2025
CVE IDs:
CVE-2012-6439, CVE-2012-6441, CVE-2012-6442 , CVE-2012-6438, CVE-2012-6437
Products:
Ethernet/IP Network
CVSS Scores:
10.0, 7.8, 8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Introduction
EtherNet/IP™ Product Vulnerabilities
Description
January 3, 2013 - version 1.0
Update to January 31, 2012
On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley 1756-ENBT communication module. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.
<Update A>
Rockwell Automation has released firmware to address two of the product vulnerabilities affecting specific controller, communication modules and adapters.
<Update A>
VULNERABILITY DETAILS
A Denial of Service (DOS) condition may result when an affected product receives valid CIP message that changes the product’s configuration and network parameters. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system.
<Update B>
Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.
CVE-2012-6441
An Information Disclosure of product-specific information unintended for normal use results when the affected product receives a specially crafted CIP packet.
<Update B>
A Denial of Service (DOS) condition results when affected product receives a valid CIP message that instructs the product to reset. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a temporary disruption of communication to other products in controller platform or system.
<Update C>
Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.
<Update C>
CVE-2012-6438
A Denial of Service (DOS) condition and a product recoverable fault results when affected product receives a malformed CIP packet. Receipt of such a message from an unauthorized source has will cause a disruption of communication to other products in controller platform or system. Recovery from a successful exploitation of this vulnerability requires the product to be reset via power cycle to the chassis or removal-reinsertion of module.
The potential exists for the affected product to accept an altered or corrupted firmware image during its upgrade process that may render the product inoperable or change its otherwise normal operation. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the product for other malicious activities.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:
- All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.
<Update D>
CVE-2012-6441
- 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules
Note: Further evaluation has reduced the list of products affected by this vulnerability.
<Update D>
- All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.
CVE-2012-6438
- 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules
- CompactLogix L32E and L35E controllers
- 1788-ENBT FLEXLogix adapter
- 1794-AENTR FLEX I/O EtherNet/IP adapter
<Update E>
Note: Evaluations continue to determine additional products that may be affected.
<Update E>
- Products that do not support Rockwell Automation digital signature-based firmware validation
RISK MITIGATION
To help reduce the likelihood of compromise and the associated security risks, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:
<Update F>
CVE-2012-6439 and CVE-2012-6442 Mitigations
1. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
2. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the specific vulnerabilities:
CIP Ethernet configuration service
Messages sent to CIP Class code: 0xc0 with Service code: 0x97 service
CIP reset service
NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.
Vulnerabilities CVE-2012-6441 and CVE-2012-6438: Mitigations
Communication Modules and Adapters
Catalog Number
Description
Affected Products
New Firmware
1756-ENBT
EtherNet/IP modules for ControlLogix platform
All firmware revisions prior to 6.005
6.005
1756-EWEB
Ethernet Webserver module for ControlLogix platform
All firmware revisions prior to 4.016
Note: Updated 2 Jan 20134.016
Note: Updated 2 Jan 20131768-ENBT
EtherNet/IP modules for CompactLogix platform
All firmware revisions prior to 4.004
Note: Updated 2 Jan 20134.004
Note: Updated 2 Jan 20131768-EWEB
Ethernet Webserver module for CompactLogix platform
All firmware revisions prior to 2.005
2.005
Note: Updated 3 Jan 20131788-ENBT
FLEXLogix EtherNet/IP adapter
Evaluations continue
Evaluations continue
Controllers
Catalog Number
Description
Affected Products
New Firmware
CompactLogix L32E
CompactLogix Controller
All firmware revisions prior to 20.012
20.012
CompactLogix L35E
CompactLogix Controller
All firmware revisions prior to 20.012
20.012
Distributed I/O
1794-AENTR
FLEX I/O EtherNet/IP adapter
Evaluations continue
Evaluations continue
Find Downloads at:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx
CVE-2012-6437: Mitigations
At this time, Rockwell Automation continues to evaluate the technical feasibility of enhancing the 1756-ENBT to include a digital signature validation mechanism on firmware.
In lieu of this capability, concerned customers are recommended to employ good security design practices in their network architecture and also consider using the more contemporary 1756-EN2T EtherNet/IP communication modules for the ControlLogix platform.
The capability for the 1756-EN2T to validate digital signatures has been introduced in the below product release:
Catalog Number |
Description |
New Firmware |
1756-EN2T |
EtherNet/IP modules for ControlLogix platform that support digital signature validation on firmware |
5.028 |
Find Downloads at:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx
Other Rockwell Automation products:
1. Obtain product firmware only from trusted manufacturer sources.
2. Use only Rockwell Automation issued tools to perform product firmware upgrades.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
4. Refer to AID:433319 and AID:43320 for similar, previously released advisories that include recommended similar mitigation strategies.
NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.
<Update F>
In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
6. Make sure that software and control system device firmware is patched to current releases.
7. Periodically change passwords in control system components and infrastructure devices.
8. Where applicable, set the controller key-switch/mode-switch to RUN mode
9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
.
KCS Status
Released
Published Date:
November 29, 2012
Last Updated:
November 29, 2012
Products:
Logix Designer
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Vulnerability claims relating to FactoryTalk Services and RSLogix 5000 Software
Description
November 29, 2012 - version 1.0
On November 25, 2012, Exodus Intelligence, Inc. (Exodus) disclosed a limited amount of information relating to purported vulnerabilities in some Rockwell Automation products. In addition, they identified associated risks relating to third-party software that is included with the Rockwell Automation product installation. As a result of this information disclosure, Rockwell Automation’s Security Taskforce independently reached out to Exodus to request greater details to help us validate these claims and assess risk so we could rapidly establish a responsible risk mitigation strategy for our customers.
On November 28, 2012, Exodus provided greater details of their findings directly to Rockwell Automation. This included specific information about affected products, product versions and also proof-of-concept exploitation code that demonstrates the particular product weaknesses. With our receipt of this information, Rockwell Automation launched a detailed technical evaluation of the claims and we further expanded our preparations to support our customers in risk remediation activities, if such actions should become necessary.
As a result of Rockwell Automation’s technical evaluations, the vulnerability claims made by Exodus have been validated and verified to affect an older version of a component of the Rockwell Automation FactoryTalk services platform. The particular affected component had been previously identified and has since evolved to already remove any risk associated with Exodus’ findings.
Rockwell Automation’s Security Taskforce evaluations specifically determined:
-
One vulnerability identified by Exodus was a re-discovery of a previous known anomaly in a component version of a software service. Rockwell Automation addressed this vulnerability via software patch first issued on October 4, 2011. In addition to releasing the patch, specific process improvement steps were put in place to remove risk of re-introducing the anomaly in subsequent product releases.
- A second vulnerability identified by Exodus had already been internally identified and isolated by Rockwell Automation as a result of our ongoing code review processes within our Security Development Lifecycle (SDL). This vulnerability was similarly addressed in the same above product patch issued on October 4, 2011. Similar process improvement steps were put in place at that time to avoid potential to carry the anomaly forward in newer software releases.
For specifics relating to the publicized vulnerabilities and resulting patch, refer to: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144
- Exodus’ observation is accurate that Rockwell Automation software installations sometimes include third-party content such as Adobe® Reader. Such software is often included as a convenience for customers who may lack immediate access to the Internet to obtain a PDF viewer necessary to read certain electronic documentation included with our products.
In July 2008, at the time of the particular Rockwell Automation RSLogix 5000 product release evaluated by Exodus, Adobe® Reader Version 8 was a current version of PDF reader software. Since our initial product release, our subsequent software releases and master installation files have undergone numerous incremental and major revisions. These incremental product releases lead to the ongoing creation of newer software master installs which, where possible include more-current third-party content such as Adobe Reader. A customer who acquires today the particular 2008 release of RSLogix 5000 software from Rockwell Automation receives a software installation that includes more contemporary versions of third-party content, e.g. Adobe Reader X (Version 10).
We continue to encourage all customers to be proactive and stay current where possible with software patches and new product releases for all software used in their control systems.
CONTINUOUS IMPROVEMENT AND MATURITY MODEL
Rockwell Automation shares in the same concerns as our customers, product users, security research community and the public at large with regard to the industrial control system security.
- We continue to make significant investment in our product development and testing processes and also provide relevant product and system security features to our customers to help protect assets, information and operational integrity.
- Our internal Security Development Lifecycle (SDL) continues to mature and demonstrate tangible value to help proactively address potential product and system design weaknesses.
- We parallel our product security developments, testing and overall SDL investments with added lessons learned from our formal approach to product security Threat Management and Incident Response.
These combined efforts and others result in a maturity model allowing for continuous improvements in our contemporary solution that successfully enhance product and system security. Where technically feasible, some of these same improvements are also made available for many legacy products and systems too.
ADDED RECOMMENDATIONS FOR RISK MITIGATION
Rockwell Automation advocates that all industrial control system asset owners invest to assess security risks in their automation systems and take appropriate measures to reduce known risks to an acceptable level. A balance of both technical and non-technical measures comprises a successful Security Program, therefore risk-reducing compensating controls should include a combination of careful product selection, network and infrastructure design and installation, maintenance and upgrade planning and consistent personnel training complemented by structured policies and procedures for employees to follow.
In particular, keeping software and hardware products and system components up to date remains a key imperative to help maintain and enhance the security posture of industrial control systems. The following links provide basic foundational information on security best practices proven suitable for all control systems:
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Medium
Published Date:
November 02, 2012
Last Updated:
November 02, 2012
Products:
FactoryTalk Historian SE
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk® Historian SE Security Vulnerability from PI OPC DA software interface
Description
November 2, 2012 - version 1.0
In response to the ICS-CERT Advisory ICSA-12-201-01 – OSISOFT PI OPC DA INTERFACE BUFFER OVEFLOW, Rockwell Automation’s Security Taskforce conducted a thorough evaluation of Rockwell Automation products that include, or make use of the affected OSIsoft PI OPC DA interface software.
AFFECTED PRODUCTS
As a result of Rockwell Automation’s evaluation, we have determined the following Rockwell Software-brand product includes, and makes use of the OSIsoft PI OPC DA software interface:
FactoryTalk™ Historian SE versions 2.10.00, 2.20.00 and 3.00.00
VULNERABILITY DETAILS
Per ICSA-12-201-01, OSIsoft, LLC proactively disclosed the presence of "a stack-based buffer overflow in the PI OPC DA interface software that could cause the software to crash or allow a remote attacker to execute arbitrary code." Furthermore, "Successful exploitation of this vulnerability could allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system."
Rockwell Automation includes and installs the PI OPC DA interface software with FactoryTalk™ Historian SE; however, this interface is NOT configured and it is NOT running by default. When the PI OPC DA interface software that has been included with the install is used for OPC communications, it is similarly susceptible to the above mentioned stack-based vulnerability and the system-wide effects of successful exploitation of the weakness.
RISK MITIGATION
ICSA-12-201-01 states, "OSIsoft has published a customer notification, and has released a product update that resolves this vulnerability." This release applies specifically to OSIsoft PI OPC DA software.
Rockwell Automation has validated this OSIsoft product update and taken similar measures to proactively release a product update for affected Rockwell Software FactoryTalk Historian SE versions. The software update and associated installation instructions can be found in the Rockwell Automation Knowledgebase at:
AID: 509721 - https://rockwellautomation.custhelp.com/app/answers/detail/a_id/509721
NOTE: We recognize that not all FactoryTalk Historian SE users employ the OPC interface; nonetheless, Rockwell Automation still recommends the above software update be applied to affected software to help mitigate potential future risk should the interface software be used at a later time.
In addition to applying the above software update to affected products, Rockwell Automation’s Security Taskforce recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/security
KCS Status
Released
High
Published Date:
July 18, 2012
Last Updated:
January 13, 2025
CVE IDs:
CVE-2012-6436, CVE-2012-6435
Products:
ControlLogix, CompactLogix, GuardLogix, SoftLogix
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Introduction
Description
July 18, 2012 - version 1.0
Update to December 4, 2013
On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley ControlLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.
<Update A>
Vulnerability #1 has been addressed in Logix release V16.023 / V20.011 and higher.
Controller firmware issued with Logix release V16.023 / V20.012 and higher addresses the product vulnerability (see Vulnerability #2 below) in affected ControlLogix and GuardLogix controllers.
<Update A>
VULNERABILITY DETAILS
CVE-2012-6436
A Denial of Service (DOS) condition results when an affected controller receives a malformed CIP packet that causes the controller to enter a fault state requiring the reloading of the user program. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.
A Denial of Service (DOS) condition results when an affected controller receives a valid CIP message that instructs the controller to stop logic execution and enter a fault state requiring the reloading of the user program. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:
CVE-2012-6436
Version 18 and prior releases of ControlLogix, CompactLogix, GuardLogix and SoftLogix
NOTES: This vulnerability does not exist in controller products using V19 and higher.
- Version 19 and prior releases of CompactLogix and SoftLogix controllers
- Version 20 and prior releases of ControlLogix and GuardLogix controllers
RISK MITIGATION
To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:
CVE-2012-6436 Mitigation
- Where possible, we recommend users upgrade affected products to Logix release V20 and higher.
CVE-2012-6435 Mitigations
1. Where possible, upgrade CompactLogix and SoftLogix affected products to Logix release V20 and higher.
<Update B>
2. Where possible, upgrade ControlLogix and GuardLogix to Logix firmware release v20.012 or higher.
<Update B>
3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
4. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the CIP stop service.
NOTE: Rockwell Automation continues to investigate and evaluate other ControlLogix controller product-level strategies to address this vulnerability.
In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
6. Make sure that software and control system device firmware is patched to current releases.
7. Periodically change passwords in control system components and infrastructure devices.
8. Where applicable, set the controller key-switch/mode-switch to RUN mode
9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
.
KCS Status
Released
Critical
Published Date:
July 18, 2012
Last Updated:
January 13, 2025
CVE IDs:
CVE-2012-6440
Products:
MicroLogix 1100 and 1400 controller
CVSS Scores:
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details
Less Details
Introduction
MicroLogix™ 1100 and 1400 Controller Vulnerability
Description
July 18, 2012 - version 1.0
Update to May 4, 2012
On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley MicroLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.
<Update A>
Rockwell Automation released firmware for the MicroLogix 1400 controller in June 2012 to address the identified product vulnerability in a potential replay attack directed at the product’s webserver.
Due to technical limitations in the MicroLogix 1100 platform, to reduce associated risk with this vulnerability Rockwell Automation recommends concerned customers follow good industrial control system design and security practices including those listed below in RISK MITIGATION.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability
- MicroLogix 1100
- MicroLogix 1400
CVE-2012-6440
The webserver password authentication mechanism employed by the affected products is vulnerable to a Man-in-the-Middle (MitM) and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s webserver to view and alter product configuration and diagnostics information. Recovery from successful exploitation of this vulnerability may require the product to be reset to its factory-default settings.
RISK MITIGATION
Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful replay attack targeting the product’s webserver.
MicroLogix 1400
Catalog Number |
Description |
Affected Products |
Corrective Firmware |
1766-L32xxxx |
MicroLogix 1400 controller |
Series B FRN 11 or earlier |
FRN 12 or higher |
Current firmware for MicroLogix can be obtained here: http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html |
|||
<Update A>
MicroLogix 1100 and 1400
To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:
1. Where possible for affected products, disable the web server in the Ethernet Channel 1 configuration in RSLogix 500 software. This is done by unchecking the HTTP Server Enable checkbox (checked by default) and power cycling the controller.
2. Change all default Administrator and Guest passwords.
3. If webserver functionality is desired in the MicroLogix 1100 or 1400 controllers, we recommend the product’s firmware be upgraded to the most current version that includes enhanced protections including:
a. When a controller receives two consecutive invalid authentication requests from any HTTP client, the controller resets the Authentication Counter after 60 minutes.
b. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid Authentication packets until a 24-hour HTTP Server Lock Timer timeout.
WARNING/REMINDER: Upgrading the controller firmware clears the web server configuration. It is necessary to manually record the web server settings prior to a firmware upgrade so the configuration can be manually re-entered into the web server settings after the firmware upgrade is complete.
NOTE: The latest MicroLogix 1100 and 1400 firmware versions are posted at: http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html
4. If webserver functionality is desired in the MicroLogix 1100 or 1400 controllers, we recommend you configure User Accounts to only provide READ access to the product (e.g. do not configure READ/WRITE for Users). In addition, where possible exclusively access the product via User Accounts to minimize potential for a Replay attack to the Administrator’s account. User-administration is done through the product’s webserver.
NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.
In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
3. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
4. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
5. Make sure that software and control system device firmware is patched to current releases.
6. Periodically change passwords in control system components and infrastructure devices.
7. Where applicable, set the controller key-switch/mode-switch to RUN mode
8. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
Based on the outcome of our ongoing investigation, we will communicate relevant recommended mitigation strategies to our concerned customers.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Medium
Published Date:
February 15, 2012
Last Updated:
February 15, 2012
Products:
FactoryTalk Services Platform
CVSS Scores:
5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
FactoryTalk™ Diagnostics Receiver Service Vulnerability
Description
February 15, 2012 - version 1.0
Update to January 31, 2012 - version 1.0
On January 17, 2012, Rockwell Automation was made aware of two security vulnerabilities in the FactoryTalk™ Diagnostics Receiver Service (RNADiagReceiver.exe) that if successfully exploited, may result in a Denial of Service condition.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Allen-Bradley products are affected by these vulnerabilities:
- RSLogix 5000 (versions 17, 18, 19, 20)
- FactoryTalk Directory
- FactoryTalk Alarms & Events
- FactoryTalk View SE
- FactoryTalk Diagnostics
- FactoryTalk Live Data
- FactoryTalk Server Health
VULNERABILITY DETAILS
A successful attack occurs when the RNADiagReceiver.exe service receives a datagram on UDP port 4445 that exceeds 2000 bytes, or the service receives a specifically crafted datagram of a valid size. A successful attack to the service will result in two respective conditions:
1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
2. Crash condition that disrupts further execution of the RNADiagReceiver.exe diagnostic service.
The disruption or failure of the service leads to the potential for disruption to the operation of any software that depends on the RNADiagReceiver.exe service. The vulnerability can be exploited remotely from a network-based attack; however, the Security Taskforce has determined that there is no known possibility of malicious code injection and no known escalation of privilege on the host machine that results from successful exploitation.
ADDRESSING THE RISK
Rockwell Automation has released a specific software patch to address this vulnerability in software products that incorporate the RNADiagReceiver.exe service:
http://rockwellautomation.custhelp.com/app/answers/detail/a_id/471091
ADDITIONAL RISK MITIGATION
In addition to applying the above patch, Rockwell Automation recommends concerned customers configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:
• 1330
• 1331
• 1332
• 4241
• 4242
• 4445
• 4446
• 6543
• 9111
• 60093
• 49281
We also recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
Concerned customers should continue to monitor Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to security in Rockwell Automation products and systems.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
Released
Published Date:
September 13, 2011
Last Updated:
September 13, 2011
Products:
Logix Designer
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLogix 5000 Software Potential Denial-of-Service Vulnerability
Description
September 13, 2011 - version 1.0
This advisory has been replaced with AID# 456144
On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix 5000 software that if successfully exploited, may result in a Denial of Service condition.
We are in the process of validating the potential vulnerability in order to determine possible risk, scope, impacts, and exposure to our customers if it is confirmed.
Based on the outcome of our ongoing investigation, if the vulnerability is confirmed, we will communicate a recommended mitigation strategy to our concerned customers as soon as possible.
Until a specific mitigation strategy is made available, we recommend concerned customers remain vigilant and continue to apply the following security strategies that help reduce risk and enhance overall control system security:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
September 12, 2011
Last Updated:
September 12, 2011
Products:
1756 - EN2TR and 1756-EN3TR
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 12, 2011
Affected Products
| Affected Product | First Known in firmware revision | Corrected in firmware Revision |
| 1756-EN2TR (Series A, B) | 4.002 - 4.003 | 4.004 |
| 1756-EN3TR (Series A) | 4.002 – 4.003 | 4.004 |
Additional Notes
Excluding the above product releases, no other released versions of the 1756-EN2TR or 1756-EN3TR communication interfaces exhibit this potential vulnerability. Version 4.002 and 4.003 of the 1756-EN2T, 1756-EN2F, and 1756-EN2TXT do not have this vulnerability.Vulnerability Details
Rockwell Automation has identified a vulnerability in specific shipping versions of the 1756-EN2TR and 1756-EN3TR EtherNet/IP communication interfaces for the ControlLogix platform. Due to an oversight in the product testing and release process, these particular product versions and accompanying product firmware mistakenly have their 17185/UDP communication port enabled.
The 17185/UDP communication port is intended for exclusive use by a vendor’s product development and test teams in order to support pre-release product development and testing activities. The communication port is not intended, nor does it offer any value to control system designers and product users.
This open UDP port is classified as a potential vulnerability since an unauthenticated user who gains access to the specific version of the product may be able to gain access to the product’s debugging information, disrupt its operation or potentially cause a denial of service, thereby affecting the product’s operation. This vulnerability is remotely exploitable.
Rockwell Automation is taking proactive, corrective actions in our product testing and release processes to help prevent subsequent reoccurrences of this matter.
We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and continue to follow good security practices.
The 17185/UDP communication port is intended for exclusive use by a vendor’s product development and test teams in order to support pre-release product development and testing activities. The communication port is not intended, nor does it offer any value to control system designers and product users.
This open UDP port is classified as a potential vulnerability since an unauthenticated user who gains access to the specific version of the product may be able to gain access to the product’s debugging information, disrupt its operation or potentially cause a denial of service, thereby affecting the product’s operation. This vulnerability is remotely exploitable.
CVSS Base Score: 7.5/10 (high)
CVSS 2.0 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:PRockwell Automation is taking proactive, corrective actions in our product testing and release processes to help prevent subsequent reoccurrences of this matter.
We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and continue to follow good security practices.
Risk Mitigation & User Action
Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
- Update to corrected firmware version.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Medium
Published Date:
July 26, 2011
Last Updated:
July 26, 2011
Products:
Logix Designer
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLogix 5000 .ACD Project File Memory Corruption Anomaly
Description
July 26, 2011 - version 1.0
An anomaly affecting specific versions of RSLogix 5000 software has been brought to Rockwell Automation’s attention by independent researchers and ICS-CERT. The identified anomaly relates to how RSLogix 5000 software, versions 19 and earlier, processes its native format .ACD project files.
Details of this anomaly are as follows:
The potential exists for affected versions of RSLogix 5000 software to accept a maliciously altered ACD project file that can result in an integer overflow condition, which can in turn cause the RSLogix 5000 software to terminate unexpectedly. In addition, the possibility for the injection of malicious software during this condition has not been definitively ruled out.
This anomaly affects all RSLogix 5000 releases up to and including Version 19.
There are no known exploits involving this anomaly. Successful exploitation would require social engineering to introduce and convince a user to open a maliciously altered ACD file. Additionally, there is no known proof-of-concept code or means to demonstrate results any more serious than the unexpected termination of the RSLogix 5000 application. Rockwell Automation’s technical evaluation and testing confirm the presence of this anomaly, but similarly indicates successful exploitation as a security vulnerability remains only theoretically possible. Furthermore, it has been confirmed that no escalation of privilege can result from successful exploitation of this anomaly.
Mitigation Strategy:
This anomaly will be addressed in the next release of RSLogix 5000, Version 20, and subsequent releases thereafter.
Additional recommendations to mitigate potential risk:
• Do not run RSLogix 5000 software in Administrator Mode.
• Only open ACD files from known and trusted sources.
• Store and transmit trusted ACD files in a secure manner and protect them as assets.
• Consider digitally signing trusted ACD files to authenticate their origin and indicate any file tampering.
Note: RSLogix 5000 software does not include a means to digitally sign ACD files; however, there are commercially available tools that can be used such as PGP, GnuPG to apply signatures to ACD and other files.
To help further enhance overall control system security, Rockwell Automation also recommends the following strategies. When possible, multiple strategies should be employed simultaneously:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
Rockwell Automation continues to investigate and evaluate other strategies such as product and system-level techniques and functional enhancements to enhance security and reduce the likelihood of file tampering.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security .
KCS Status
Released
High
Published Date:
June 28, 2011
Last Updated:
June 28, 2011
Products:
RSLinx Classic (Single Node
CVSS Scores:
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
June 28, 2011 - Version 1.0
A vulnerability has been discovered in the RsiOPCAuto.dll version 1.1.8.0 ActiveX component included with specific versions of RSLinx Classic that can allow for the execution or arbitrary code. This vulnerability affects the following:
- RSLinx Classic version 2.54 and earlier
Details of this vulnerability are as follows:
The vulnerability results from a boundary error in the RsiOPCAuto.OPCServer ActiveX control. When a specific parameter in this control receives an excessively long debug string, a buffer overflow condition can allow for the execution of arbitrary and potentially malicious code.
There are currently no known active exploits of this vulnerability.
To help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategy:
| Affected Software | Upgrade or patch software | |
| RSLinx Classic version 2.54 and earlier that include any version of RsiOPCAuto.dll | Option 1 --> | Recommended: |
| Option 2 --> | If unable to upgrade to version 2.55: Apply software patch for RsiOPCAuto.dll to address this vulnerability in RSLinx Classic version 2.54 and all prior versions. The patch is available in the following technote: Answer ID 449288 NOTE: Rockwell Automation recommends all users applying this RSLinx Classic patch plan to upgrade to RSLinx Classic version 2.55 at first convenience given RSLinx Classic’s transition from RsiOPCAuto.dll to OpcDAauto.dll. |
Rockwell Automation remains committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
June 24, 2011
Last Updated:
June 24, 2011
Products:
FactoryTalk View SE, FactoryTalk Transaction Manager, FactoryTalk View ME
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
June 24, 2011 - Version 1.0
A vulnerability has been discovered in some specific versions of the FactoryTalk Diagnostics Viewer that could allow the execution of arbitrary code by opening a corrupted FactoryTalk Diagnostics Viewer Configuration file (*.ftd). This vulnerability would require some form of social engineering to convince a user of the FactoryTalk Diagnostics Viewer to open the corrupted (*.ftd) file.
The vulnerability has been confirmed to affect only the versions of the FactoryTalk Diagnostics Viewer v2.10.x (CPR9 SR2) and earlier.
Details of this vulnerability are as follows:
This issue is caused by a vulnerability in Microsoft’s ATL library code (MS09-035). Vendors were required to rebuild with the updated development tools and re-release their products in order to resolve this issue. This potential vulnerability has been confirmed to affect only the versions of the FactoryTalk Diagnostics Viewer v2.10.x (CPR9 SR2) and earlier. The FactoryTalk Diagnostics Viewer v2.30.00 (CPR9 SR3) and later utilize an updated version of Microsoft library code and does not exhibit this issue.
This vulnerability is not remotely exploitable. There are currently no known active exploits of this potential vulnerability.
To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following mitigation strategy:
Concerned customers should upgrade to FactoryTalk Diagnostics Viewer (CPR9 SR3) or greater. The FactoryTalk Diagnostics Viewer v2.30 is not available as a standalone installation package. It is included and installed as a part of the FactoryTalk Services Platform v2.30 (CPR9 SR3). Please reference AID 42682 - "Rockwell Automation Software Product Compatibility Matrix" to make sure you understand any dependencies and/or compatibility issues that may exist with installation of this version of the Services Platform.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
Attachments
KCS Status
Released
High
Published Date:
June 15, 2011
Last Updated:
June 15, 2011
Products:
Ethernet/IP Network, 1756 ControlLogix I/O
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
ControlLogix 1756-EWEB Enhanced Web Server FTP Server Security Vulnerability
Description
June 15, 2011 - Version 1.0
Rockwell Automation has identified a security vulnerability in the ControlLogix 1756-EWEB Series A Enhanced Web Server (the "Product"). Details of this vulnerability are as follows:
If the FTP server on the Product is enabled, the Product can be caused to enter a faulted state if it is sent FTP commands with arguments larger than a certain size. When in this faulted state, the Product becomes unresponsive and nonfunctional. To return to the Product to its normal operating condition, the power to the Product must be cycled.
The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation.
Rockwell Automation plans to directly mitigate this vulnerability in a forthcoming Product firmware release currently anticipated in February, 2012.
To immediately help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:
- Disable the FTP server on the Product through its configuration screens. Refer to Rockwell Automation publication: Ethernet-UM527-EN-P (see Enable/disable Other Services section).
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Critical
Published Date:
June 15, 2011
Last Updated:
June 15, 2011
Products:
Ethernet/IP Network, 1756 ControlLogix I/O
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
ControlLogix 1756-EN2T EtherNet/IP Bridge Firmware Upgrade Security Vulnerability
Description
June 15, 2011 - Version 1.0
Rockwell Automation has identified a security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-EN2T EtherNet/IP Bridge Module (the "Product"). This vulnerability affects the following products:
- 1756-EN2T Series A; 1756-EN2T Series B; 1756-EN2T Series C
Details of this vulnerability are as follows:
The potential exists for the Product to accept an altered or corrupted firmware image during its upgrade process that may render the Product inoperable or change its otherwise normal operation.
The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.
Rockwell Automation is currently planning to release enhanced firmware for the Product around February, 2012. This forthcoming firmware will include product-level firmware authentication and verification. This firmware release will be digitally signed. Once applied to the Product, any subsequent Product upgrades will require firmware that includes a valid Rockwell Automation digital signature for authentication purposes.
To immediately help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:
- Obtain product firmware only from trusted manufacturer sources.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
- Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).
For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Published Date:
June 15, 2011
Last Updated:
June 15, 2011
Products:
Ethernet/IP Network, 1756 ControlLogix I/O
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
ControlLogix 1756-EWEB Enhanced Web Server Firmware Upgrade Security Vulnerability
Description
June 15, 2011 - Version 1.0
Rockwell Automation has identified a security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-EWEB Series A Enhanced Web Server Module (the "Product"). Details of this vulnerability are as follows:
The potential exists for the Product to accept an altered or corrupted firmware image during its upgrade process that may render the Product inoperable or change its otherwise normal operation.
The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.
To help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:
- Obtain product firmware only from trusted manufacturer sources.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
- Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).
In addition to these mitigation strategies, Rockwell Automation continues to investigate and evaluate other strategies such as product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Critical
Published Date:
May 24, 2011
Last Updated:
May 24, 2011
Products:
RSLinx Classic
CVSS Scores:
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLinx Classic™ EDS Wizard Buffer Overflow Vulnerability
May 24, 2011
Description
Rockwell Automation has investigated a reported buffer overflow vulnerability in RSLinx Classic™ and has determined the following:
· The reported vulnerability was not in RSLinx Classic, but in a separate isolated executable, EDS Hardware Installation Tool (RSHWare.exe), which is installed by RSLinx Classic. This executable file is normally launched from the following menu location:
Rockwell Software RSLinx Tools EDS Hardware Installation Tool
· The reported vulnerability requires an authorized administrator to run the EDS Hardware Installation Tool after gaining physical access to the computer in order to load an improperly formatted EDS file.
· The reported vulnerability has no effect on RSLinx Classic’s intended operation, which is to allow client applications to communicate with controllers and/or other automation devices.
· A successful exploit of this vulnerability could allow an attacker to run arbitrary code on the target PC.
Customers who are concerned about this reported vulnerability should recognize that to exploit it would require gaining physical access to the target computer, a user with administrator privileges and execution of the EDS Hardware Installation Tool in order to load an improperly formatted EDSfile.
Given the details above, it is highly unlikely that an attacker would use the EDS Hardware Installation Tool to launch a malicious attack.
The reported vulnerability is present in version 1.0.5.1 and earlier versions of the EDS Hardware Installation Tool (RSHWare.exe). To determine the version installed, locate RSHWare.exe, right-click and select properties. Select the properties "Version" tab to view the file version.
Rockwell Automation recommends concerned customers take the following immediate steps to mitigate risk associated with the reported vulnerability:
1. Restrict physical access to the computer.
2. Establish policies and procedures such that only authorized individuals have administrative rights on the computer.
3. Obtain product EDS files from trusted sources (e.g. product vendor)
4. Apply the Rockwell Automation issued Patch
Rockwell Automation has issued a software patch for the EDS Hardware Installation Tool that addresses this buffer overflow vulnerability. When applied, the patch replaces the RSEds.dll file with the modified version. Future releases of RSLinx Classic, starting with version 2.58 will include this modified version of the required files.
Rockwell Automation is committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
May 17, 2011
Last Updated:
May 17, 2011
Products:
1763-L16xxx, 1766-L32xxx
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Security vulnerability in password mechanism of MicroLogix™ 1100 and 1400 Controllers
Description
May 17, 2011 - Version 1.2
Rockwell Automation has identified a security vulnerability in specific versions of the MicroLogix™ family of programmable controllers. This vulnerability affects, and is limited to, the following MicroLogix 1100 and 1400 platforms:
- 1763-L16xxx, 1766-L32xxxx
Details of this vulnerability are as follows:
A denial of service results from a successful attack against the password mechanism employed in specific versions of the MicroLogix 1100 and 1400 controller platforms when the controller’s HTTP Server is enabled. When versions of these products are targeted with a specific attack, the potential exists for these products to enter a predefined fault mode and reset their product configuratoin back to factory-default state.User-intervention is necessary to reprogram and reconfigure the controller.
A successful attack on specific versions of the MicroLogix 1100 and 1400 controllers has the potential to cause a Denial of Service (DOS), loss of product availability and disruption to both product and system operation.
To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously.
- Upgrade all MicroLogix 1100 and 1400 controllers per the following table:
Controller Platform
Catalog Number
Affected Firmware
Upgrade controller to firmware version
MicroLogix 1100
1763-L16xxx
FRN 9 or earlier
-->
FRN 10 or higher
MicroLogix 1400
1766-L32xxxx
Series A FRN 6 or earlier
Series B FRN 10 and earlier-->
-->
Series A FRN 7 or higher
Series B FRN 11 or higher
Current firmware for MicroLogix can be obtained here:
http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html
- If there is no intention to use the controller’s HTTP server (i.e. web browser access), and the controller is connected to the network via Ethernet, prevent this potential compromise by unchecking HTTP Server Enable checkbox in the controller configuration settings available via RSLogix 500 or RSLogix Micro. Refer to publications 1763-um002_-en-p and 1766-um002_-en-p for more information on how to disable the HTTP Server (see Disable Web View).
- Where possible, disable the capability to perform unauthorized remote programming, configuration or flash upgrades to controllers over a network by placing the controller’s key switch into RUN mode.
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
Rockwell Automation remains committed to making additional security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
High
Published Date:
July 06, 2010
Last Updated:
July 06, 2010
Products:
1756-ENBT
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 6, 2010
Affected Products
| Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
| 1756-ENBT (Series A) | 3.26 | 3.9 |
| 1756-ENBT (Series A) | 3.61 | 3.9 |
Vulnerability Details
Rockwell Automation has identified a potential vulnerability in some specific versions of the 1756-ENBT EtherNet/IP communication interface which shipped with an open 17185/UDP communication port meant to be used only for debugging purposes during the product development process.
This open UDP port is classified as a potential vulnerability since an unauthenticated remote user who gains access to the specific version of the product may be able to gain access to the product’s debugging information, disrupt its operation or potentially cause a denial of service, thereby affecting the product’s operation.
This potential vulnerability has been confirmed to affect only the listed versions of the 1756-ENBT EtherNet/IP communication interface for the ControlLogix controller platform.
In conjunction with updating affected product firmware, customers who are concerned about unauthorized access to their Products can take additional immediate steps as outlined below to further reduce associated security risk from this potential vulnerability.
These same steps can also serve as a checklist to verify available security techniques are in place in a system’s configuration too. When possible, multiple strategies should be employed simultaneously.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
This open UDP port is classified as a potential vulnerability since an unauthenticated remote user who gains access to the specific version of the product may be able to gain access to the product’s debugging information, disrupt its operation or potentially cause a denial of service, thereby affecting the product’s operation.
This potential vulnerability has been confirmed to affect only the listed versions of the 1756-ENBT EtherNet/IP communication interface for the ControlLogix controller platform.
CVSS Base Score: 7.5/10 (high)
CVSS 2.0 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:PIn conjunction with updating affected product firmware, customers who are concerned about unauthorized access to their Products can take additional immediate steps as outlined below to further reduce associated security risk from this potential vulnerability.
These same steps can also serve as a checklist to verify available security techniques are in place in a system’s configuration too. When possible, multiple strategies should be employed simultaneously.
- Configure firewalls or access control lists (ACL) in the network infrastructure components (such as network firewall appliances and managed switches) to block access to the 17185/UDP port.
- Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (such as a firewall, UTM devices, or other security appliance).
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and Control Networks. Refer to Reference Architectures for Manufacturing for comprehensive information about implementing validated architectures designed to deliver these measures.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Risk Mitigation & User Action
Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
- Update to corrected firmware version.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Critical
Published Date:
March 03, 2010
Last Updated:
March 03, 2010
Products:
RSLinx Classic (Single Node
CVSS Scores:
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
RSLinx Classic™ EDS Wizard Buffer Overflow Vulnerability
March 3, 2010
Description
Rockwell Automation has investigated a reported buffer overflow vulnerability in RSLinx Classic™ and has determined the following:
· The reported vulnerability was not in RSLinx Classic, but in a separate isolated executable, EDS Hardware Installation Tool (RSHWare.exe), which is installed by RSLinx Classic. This executable file is normally launched from the following menu location:
Rockwell Software RSLinx Tools EDS Hardware Installation Tool
· The reported vulnerability requires an authorized administrator to run the EDS Hardware Installation Tool after gaining physical access to the computer in order to load an improperly formatted EDS file.
· The reported vulnerability has no effect on RSLinx Classic’s intended operation, which is to allow client applications to communicate with controllers and/or other automation devices.
· A successful exploit of this vulnerability could allow an attacker to run arbitrary code on the target PC.
Customers who are concerned about this reported vulnerability should recognize that to exploit it would require gaining physical access to the target computer, a user with administrator privileges and execution of the EDS Hardware Installation Tool in order to load an improperly formatted EDSfile.
Given the details above, it is highly unlikely that an attacker would use the EDS Hardware Installation Tool to launch a malicious attack.
The reported vulnerability is present in version 1.0.5.1 and earlier versions of the EDS Hardware Installation Tool (RSHWare.exe). To determine the version installed, locate RSHWare.exe, right-click and select properties. Select the properties "Version" tab to view the file version.
Rockwell Automation recommends concerned customers take the following immediate steps to mitigate risk associated with the reported vulnerability:
1. Restrict physical access to the computer.
2. Establish policies and procedures such that only authorized individuals have administrative rights on the computer.
3. Obtain product EDS files from trusted sources (e.g. product vendor)
4. Apply the Rockwell Automation issued Patch Aid 68053
Rockwell Automation has issued a software patch for the EDS Hardware Installation Tool that addresses this buffer overflow vulnerability. When applied, the patch replaces the RSEds.dll file with the modified version 4.0.1.157. Future releases of RSLinx Classic, starting with version 2.57, will include this modified version of the RSEds.dll.
Rockwell Automation is committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
Released
Critical
Published Date:
February 02, 2010
Last Updated:
February 02, 2010
Products:
1785-L11B, 1785-L20B, 1785-L30B, 1785-L40L, 1785-L60B, 1785-L60L, 1785-L80B
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details
Less Details
Introduction
Description
February 2, 2010 - Version 1.0
Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.
Details of this potential vulnerability to the affected Product are as follows:
- The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept the Product’s password over a communications link to potentially gain access and interrupt the Product’s intended operation.
Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system configuration too.
For instance, to directly mitigate associated risk in PLC5 controllers, Rockwell Automation recommends use of the following mitigation strategy:
- For PLC5 controllers, enable and configure "Passwords and Privileges" via RSLogix 5 configuration software to restrict access to critical data and improve overall password security.
To help further reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Product users can follow these added remediation strategies (Note: when possible, multiple strategies should be employed simultaneously):
- When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:
- The 1747-L5x firmware should be OS Series C FRN 10, or higher.
- 1785-Lx processor firmware should be at or above the following (refer to included table):
Catalog Number
Series A
Series B
Series C
Series D
Series E
Series F
Enhanced
Revision
Revision
Revision
Revision
Revision
Revision
1785-L11B
R.2
U.2
L.2
K.2
1785-L20B
R.2
U.2
L.2
K.2
1785-L30B
S.2
U.2
L.2
K.2
1785-L40B
S.2
U.2
L.2
K.2
1785-L40L
S.2
U.2
L.2
K.2
1785-L60B
S.2
U.2
L.2
K.2
1785-L60L
S.2
U.2
L.2
K.2
1785-L80B
U.2
L.2
K.2
Protected
Revision
Revision
Revision
Revision
Revision
Revision
1785-L26B
R.2
U.2
L.2
K.2
1785-L46B
S.2
U.2
L.2
K.2
1785-L46L
S.2
U.2
1785-L86B
U.2
L.2
K.2
Ethernet
Revision
Revision
Revision
Revision
Revision
Revision
1785-L20E
U.2
L.2
K.2
A.2
1785-L40E
U.2
L.2
K.2
A.2
1785-L80E
U.2
L.2
K.2
A.2
ControlNet
Revision
Revision
Revision
Revision
Revision
Revision
1785-L20C15
U.2
L.2
K.2
E.2
1785-L40C15
U.2
L.2
K.2
E.2
1785-L46C15
K.2
E.2
1785-L60C15
L.2
1785-L80C15
L.2
K.2
E.2
- Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.
- Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
- For SLC controllers, enable static protection on all critical data table files to prevent any remote data changes to critical data.
- Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to https://www.rockwellautomation.com/en-us/capabilities/industrial-networks/industrial-network-services.html for comprehensive information about implementing validated architectures designed to deliver these measures.
- Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
- Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to make changes to control system equipment.
- Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.
Rockwell Automation is committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/en-us/capabilities/industrial-networks/industrial-network-services.html.
KCS Status
Released