Version 1.0 - May 12, 2020. Initial Release.
Executive Summary
OSIsoft reported five vulnerabilities in PI System, a real-time data collection and visualization software, to Rockwell Automation. PI System software is used in multiple Rockwell Automation® software products. These vulnerabilities if successfully exploited, may result in privilege escalation, information disclosure or a denial-of-service condition.
Not every PI System vulnerability applies to each impacted product. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding PI System vulnerability.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
| Product | CVE-2020-10610 | CVE-2020-10608 | CVE-2020-10606 | CVE-2020-10600 | CVE-2020-10645 |
| FactoryTalk® View SE software version 11.00.00 and earlier | X | X | X | ||
| FactoryTalk® VantagePoint® software version 8.10.00 and earlier | X | X | X | ||
| FactoryTalk Historian - ThingWorx Connector software version 3.00.00 | X | X | X | ||
| FactoryTalk Historian SE software version 6.00.00 and earlier | X | X | X | X | |
| PlantPAx® DCS software (including Virtual Templates) version 4.60.00 and earlier | X | X | X | ||
| FactoryTalk ProcessBook software version 3.60.00 and earlier | X | X | X | X | |
| FactoryTalk Datalink software version 5.30.00 and earlier | X | X | X | ||
| FactoryTalk Historian SE to Historian SE (SE2SE) Interface software version 3.08.07 and earlier | X | X | X | ||
| FactoryTalk Historian SE Interface for Universal File Loader software version 3.01.02 and earlier | X | X | X | ||
| FactoryTalk Historian SE Interface for ODBC (RDBMS) software version 3.20.06 and earlier | X | X | X | ||
| FactoryTalk Historian Batch Interface software version 1.00.20 and earlier | X | X | X | ||
| FactoryTalk Historian Event Frames Generator (PE EFGen) software version 4.00.25 and earlier | X | X | X | ||
| FactoryTalk Historian SE Advance Server software version 6.00.00 and earlier | X | X | X | ||
| FactoryTalk Historian SE third-party OLEDB Connectivity software version 4.00.00 and earlier | X | X | X | ||
| FactoryTalk Historian SE third-party OPC Connectivity software version 4.00.00 and earlier | X | X | X |
Vulnerability Details
OSISoft provided the vulnerability details in their security advisory.
CVE-2020-10610: Local Privilege Escalation via Uncontrolled Search Path Element
A local attacker can modify a search path and plant a binary to exploit the affected PI System software and take control of the local computer at system level privileges, resulting in unauthorized information disclosure, deletion or modification.
CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.c
CVE-2020-10608: Local Privilege Escalation via Improper Verification of Cryptographic Signature
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. Exploitation can target another local user of the software to escalate privilege, resulting in unauthorized information disclosure, deletion or modification.
CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
CVE-2020-10606: Local Privilege Escalation via Incorrect Default Permissions
A local attacker can exploit incorrect permissions set by affected PI System software. Exploitation can result in unauthorized disclosure, deletion, or modification if the local computer also processes PI System data from other users such as a shared workstation or terminal server deployment.
CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
CVE-2020-10600: Null Pointer Dereference may cause Denial-conditions
A remote, authenticated attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive and may cause denial-of-service conditions.
CVSS v3 Base Score: 5.9/10 (MEDIUM)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H.
CVE-2020-10645: Use of Out-of-range Pointer Offset may lead to Remote Code Execution
A remote, authenticated attacker could embed malicious content in the display file of the impacted software product. When opened by an affected version, the attacker could read, write and execute code on the computer with the impacted software in the context of the current user.
CVSS v3 Base Score: 8.0/10 (HIGH)*
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
* Note: OSIsoft calculated the Temporal CVSS metrics for this vulnerability, which brings the score to a 6.4/10 (MEDIUM)
Risk Mitigation & User Action
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates and user guidance as these fixes become available. Please subscribe to security updates to this advisory and the Industrial Security Index (Knowledgebase PN1354) to stay notified.
Customers currently using any of the affected software are encouraged to take the following actions:
v2.0 - Update:
| Product | CVE Identifiers | Suggested Action |
| FactoryTalk® View SE software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v12.00.00 or later. |
| FactoryTalk Historian SE | CVE-2020-10600 CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
| PlantPAx® DCS software (including Virtual Templates) | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v5.00 or later. |
| FactoryTalk ProcessBook software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 CVE-2020-10645 | Download v3.70.01 or later. |
| FactoryTalk Datalink software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v5.50.02 or later. |
| FactoryTalk Historian SE Interface for Universal File Loader software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v3.60.07 or later. |
| FactoryTalk Historian SE Interface for ODBC (RDBMS) software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v3.24.05 or later. |
| FactoryTalk Historian Event Frames Generator (PE EFGen) software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v4.00.40 or later. |
| FactoryTalk Historian SE Advance Server software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
| FactoryTalk Historian SE third-party OLEDB Connectivity software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
| FactoryTalk Historian SE third-party OPC Connectivity software | CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 | Download v7.00.00 or later. |
v1.0 - Initial Release:
Customers currently using any of the affected software that is not listed in the table above are encouraged to take the following actions:
| Vulnerability Identifier | Suggested Actions |
| CVE-2020-10610 |
|
| CVE-2020-10608 |
|
| CVE-2020-10606 |
|
| CVE-2020-10600 |
|
| CVE-2020-10645 |
|
General Security Guidelines
- Run all software as user, not as an administrator, to minimize the impact of malicious code on the infected system.
- (CVE-2020-10610 & CVE-2020-10608) Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
Additional Links
