SD1703 | Security Advisory | Rockwell Automation

Loading

Severity:

High,

Critical

Advisory ID:

SD1703

Fecha de publicación:

October 04, 2024

Última actualización:

October 04, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Sí

Workaround:

No

CVE IDs

CVE-2019-14855,

CVE-2019-17543,

CVE-2019-18276,

CVE-2019-19244,

CVE-2019-989,

CVE-2019-9923

Descargas

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

JSON

JSON

JSON

JSON

JSON

JSON

Resumen

DataMosaix™ Private Cloud third-party Vulnerabilities

Published Date: 10/8/24

Revision Number: 1.0

CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Product Affected Versions

DataEdgePlatform

DataMosaix™ Private Cloud <=7.07 v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2019-14855 IMPACT

The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-17543 IMPACT

The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-18276 IMPACT

The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-19244 IMPACT

The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9893 IMPACT

The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9923 IMPACT

The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

Copyright ©2022 Rockwell Automation, Inc.