Severity: 
                            
                            
                                        
                                        High
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1589
                            
                        
                                公開日: 
                            
                            
                                April 04, 2022
                            
                        
                                最終更新日: 
                            
                            
                                April 04, 2022
                            
                        
                                Revision Number: 
                            
                            
                                1.0
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                いいえ
                            
                        
                                Corrected: 
                            
                            
                                いいえ
                            
                        
                                Workaround: 
                            
                            
                                いいえ
                            
                        
                            CVE IDs
                        
                        
                                    
                                    CVE-2022-1118
                                
                            
                        
                    概要
                
                
                    Multiple Products Vulnerable to Deserialization of Data
                
              Revision History 
   Revision History 
   Version 1.0 – April 4, 2022 
 Executive Summary
  Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.
 
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
 Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- Connected Components Workbench v13.00.00 and below.
- ISaGRAF Workbench v6.0-v6.6.9
- Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)
Vulnerability Details
 CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.
 
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
 
 Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
  Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
   
 
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
 | Products Affected | Suggested Actions | 
|---|---|
| Connected Components Workbench Versions 13.00 and below | Customers should update to version 20.00, which mitigates this vulnerability. | 
| ISaGRAF Workbench Versions 6.0-6.6.9 | It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue. | 
| SIS Workstation Versions 1.2 and below (for Trusted Controllers) | It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue. | 
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
- Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)
Additional Links
Copyright ©2022 Rockwell Automation, Inc.