Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities in the parsing and storing of Electronic Datasheet (EDS) files in Rockwell Automation® software products. These vulnerabilities, if successfully exploited, may result in code injection and denial-of-service conditions
EDS files are text files that allow product-specific information to be made available to third-party vendors by Rockwell Automation. These files define a device's configurable parameters and the public interfaces to those parameters for identification and commissioning.
Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.
Affected Products
- FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
- RSLinx® Classic v4.11.00 and earlier
- RSNetWorx™ software v28.00.00 and earlier
- Studio 5000 Logix Designer® software v32 and earlier
Vulnerability Details
CVE-2020-12034: SQL injection due to improper input sanitization
The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system. This affects the EDS subsystem v27 and earlier.
CVSS v3.1 Base Score: 8.2/10[HIGH]
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
CVE-2020-12038: Denial-of-service conditions due to memory corruption in parsing/storage of EDS files
A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object leading to denial-of-service (DoS) conditions. This affects the EDS subsystem v27 and earlier.
CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| CVE | Products Affected | Mitigation |
| CVE-2020-12034 CVE-2020-12038 |
| Apply patch by following the instructions in knowledgebase article RAid 1125928. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Block all traffic to EtherNet/IP™ or other CIP™protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Port#s 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
General Mitigations
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).
Additional Links
