Severity: 
                            
                            
                                        
                                        High
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1543
                            
                        
                                Fecha de publicación: 
                            
                            
                                February 15, 2021
                            
                        
                                Última actualización: 
                            
                            
                                February 15, 2021
                            
                        
                                Revision Number: 
                            
                            
                                1.1
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                No
                            
                        
                                Corrected: 
                            
                            
                                No
                            
                        
                                Workaround: 
                            
                            
                                No
                            
                        
                            CVE IDs
                        
                        
                                    
                                    CVE-2021-22665
                                
                            
                        
                    Resumen
                
                
                    Writable Path Directory in DriveTools SP and Drives AOP
                
            
Revision History
Revision Number
1.1
Executive Summary
Rockwell Automation received a report from both Cim Stordal of Cognite and Claroty regarding a vulnerability in DriveTools™ and Drives AOP. If successfully exploited, this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity, and availability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to both Cognite and Claroty for their work discovering this vulnerability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to both Cognite and Claroty for their work discovering this vulnerability.
Affected Products
DriveExecutive v5.13 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.
Vulnerability Details
CVE-2021-22665: Privilege Escalation Vulnerability due to Uncontrolled Search Path Element
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.
CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.
CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Customers using affected versions can reach out to their account manager or distributor to request a newer version.
| Vulnerability | Suggested Actions | 
| CVE-2021-22665 | Apply DriveTools SP v5.14 or later Download). Apply Drives AOP v4.13 or later (Download). | 
Customers using affected versions can reach out to their account manager or distributor to request a newer version.
General Security Guidelines
Software/PC-based Mitigation Strategies
General Mitigations 
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 .
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
Copyright ©2022 Rockwell Automation, Inc.