PN1595 | Security Advisory | Rockwell Automation | Rockwell Automation

Severity:

High,

Medium

Advisory ID:

PN1595

Published Date:

September 23, 2022

Last Updated:

January 28, 2025

Revision Number:

1.2

Known Exploited Vulnerability (KEV):

Corrected:

Yes

Workaround:

Yes

CVE IDs

CVE-2022-0778

Downloads

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

CVE-2022-0778

Summary

Revision History

Version 1.2 - 28-Jan-2025, Updated Impacted Products (Stratix 4300)

Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
FactoryTalk® Linx Gateway (Version 6.30 and earlier)
Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
Factory Talk View (Version 11.00 - Version 13.00)
Stratix 4300 (Versions 4.0.1.117 and earlier)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Suggested Actions
ThinManager	This issue has been patched. Customers should follow the patch instructions as follows: If using v12.0.0-12.0.2 >> Download v12.0.3 If using v12.1.0-12.1.3 >> Download v12.1.4
Factory Talk Linx Gateway	Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk Linx OPC UA Connector	Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk View	Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.
Stratix 4300	The issue has been patched. Customers should upgrade to v4.0.2.101 Download Center

If an upgrade is not possible or available, customers should consider implementing the following mitigations:

Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker
.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page

for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page

for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview

within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website

PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products