Executive Summary
Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG. These vulnerabilities impact FactoryTalk® Activation Manager and Studio 5000 Logix Designer®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- FactoryTalk® Activation Manager v4.00 to v4.05.02
- Includes Wibu-Systems AG CodeMeter v7.20a and earlier
- Studio 5000 Logix Designer® v23.00.01 to v33.00.02
Vulnerability Details
CVE-2021-20093: CWE-126
FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.
Wibu-Systems AG score:
CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE-2021-20094: CWE-126
Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap
Wibu-Systems AG score:
CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-------------------UPDATE: 22 Nov 2022----------------------
CVE-2021-41057: CWE-269
A local attacker could cause a Denial of Service by overwriting existing files on the affected system.
Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Risk Mitigation & User Action
| Vulnerability | Suggested Actions |
| CVE-2021-20093 | Update to Factory Talk Activation Manager 4.05.03 or later For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation |
| CVE-2021-20094 | Update to Factory Talk Activation Manager 4.05.03 or later |
| CVE-2021-41057 | Update to Factory Talk Activation Manager 4.06.11 or later |
Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a. Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.
During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled. Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection. Default port 22350 is required if activation licenses are hosted from the machine.
Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
