Introduction
Executive Summary
Rockwell Automation received a report from independent researcher Ivan Javier Sanchez about a vulnerability in the Connected Components Workbench™ ("CCW") software. CCW is a design and configuration software that helps simplify standalone machine development by offering a single environment for controller programming, device configuration and visualization. DLL hijacking is a known and documented vulnerability that affects software running on Microsoft® Windows operating systems. The effects of this attack can range from a denial-of-service ("DoS"), to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.
As of this announcement, there is no known publicly available exploit code relating to this vulnerability.
Version 2.0 Update:
Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, reporting that additional versions of CCW continued to be affected by this vulnerability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- Connected Components Workbench - Developer Edition, v11.00.00 and earlier
- Connected Components Workbench - Free Standard Edition, v11.00.00 and earlier
Vulnerability Details
Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim’s affected personal computer (PC). Such access rights can be at the same, or potentially higher, level of privileges as the compromised user account, including and up to computer administrative privileges.
DLL hijacking requires user interaction and thus cannot be exploited remotely. The exploits are triggered only when a local user runs the vulnerable application, which then loads the untrusted DLL file in place of the real DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run at an application with the untrusted file, or to access a malicious webpage that is susceptible to browser redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer in place of the intended DLL.
The impacts of a successful DLL hijacking attack can range from a software crash (i.e. Denial-of-Service), which would require a restart, to the injection of malicious code into trusted processes. The impact of an attack that injects malicious code is highly dependent on both the type of code included in the attack, as well as any mitigations than the user may already employ. If the software is running as a high-privileged user, any injected code will also execute with those high privileges. The malicious code can also access process memory space that stores sensitive information or additional services that may be manipulated by the modified DLL.
A CVSS v3 base score of 7.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using versions of affected software are encouraged to take the following actions:
- Apply Connected Components Workbench – Developer Edition v12.00.00 (Download) or Connected Components Workbench – Free Standard Edition v12.00.00 (Download).
- Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1498 / Article ID 1125780.
- Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1499 / Article ID 1125782.
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or another whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
