Loading

PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products

Severity:
Medium
Advisory ID:
PN1598
Data pubblicazione:
August 26, 2022
Ultimo aggiornamento:
August 26, 2022
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2022-1096
Riepilogo
CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products

Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope Vulnerable Component
FactoryTalk® Linx Enterprise software
v6.20, 6.21, and 6.30
V6.21 CefSharp v73.1.130 (EIPCACT feature)
V6.30 CefSharp v91.1.230 (EIPCACT feature)
v6.20 CefSharp v73.1.130 (Device Config feature)
v6.21 CefSharp v73.1.130 (Device Config feature
v6.30 CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001
Electron v4.2.12
Connected Components Workbench™ software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30  v6.21 CefSharp v73.1.130
 v6.30 CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0 WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
  • Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
  • Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
    • Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
    • DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
  • Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

  • CVE-2022-1096 - Security Update Guide - Microsoft - Chromium: CVE-2022-1096 Type Confusion in V8
  • ICSA-22-209-01 Advisory

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Home Rockwell Automation
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Aggiorna le tue preferenze sui cookie per continuare.
Questa funzionalità richiede i cookie per migliorare la tua esperienza. Ti preghiamo di aggiornare le tue preferenze per consentire questi cookie:
  • Cookie dei social media
  • Cookie funzionali
  • Cookie di prestazione
  • Cookie di marketing
  • Tutti i cookie
Puoi aggiornare le tue preferenze in qualsiasi momento. Per ulteriori informazioni consultare il nostro {0} politica sulla riservatezza
CloseClose