Severity:
Medium
Advisory ID:
PN1598
Veröffentlichungsdatum:
August 26, 2022
Zuletzt aktualisiert:
August 26, 2022
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
Nein
Corrected:
Nein
Workaround:
Nein
CVE IDs
CVE-2022-1096
Zusammenfassung
CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products
Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions
Executive Summary
Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.
Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.
Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.
Affected Products
| Product in Scope | Vulnerable Component | |
| FactoryTalk® Linx Enterprise software v6.20, 6.21, and 6.30 | V6.21 | CefSharp v73.1.130 (EIPCACT feature) |
| V6.30 | CefSharp v91.1.230 (EIPCACT feature) | |
| v6.20 | CefSharp v73.1.130 (Device Config feature) | |
| v6.21 | CefSharp v73.1.130 (Device Config feature | |
| v6.30 | CefSharp v73.1.130 (Device Config feature | |
| Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001 | Electron v4.2.12 | |
| Connected Components Workbench™ software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench | Cefsharp V81.3.100 | |
| FactoryTalk Link Gateway software v6.21 and v6.30 | v6.21 | CefSharp v73.1.130 |
| v6.30 | CefSharp v91.1.230 | |
| FactoryTalk View Site Edition software v.13.0 | WebView2 v96.0.1054.43 | |
Vulnerability Details
Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.
CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Risk Mitigation & User Action
Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.
For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
- Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
- Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
- Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
- DO NOT remove the contents of the folder before pasting the new file.
For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
- Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
References
Copyright ©2022 Rockwell Automation, Inc.