Severity:
Critical,
High
Advisory ID:
PN1507
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2020-11999,
CVE-2020-12005,
CVE-2020-12003,
CVE-2020-12001
Summary
FactoryTalk Linx Affected by Multiple Vulnerabilities
Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 11, 2020. Initial Release.
Version 1.0 - June 11, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities due to exposed system internals’ in FactoryTalk® Linxvsoftware. These vulnerabilities, if successfully exploited, may result in arbitrary code execution, information exposure, or denial-of-service conditions.
Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.
Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.
Affected Products
- FactoryTalk Linx software versions 6.00, 6.10, and 6.11
- Connected Components Workbench™ software v12 and earlier
- ControlFLASH Plus™ software v1 and later
- ControlFLASH™ software v14 and later
- FactoryTalk Asset Centre software v9 and later
- FactoryTalk Linx CommDTM software v1 and later
- Studio 5000® Launcher software v31 and later
- Studio 5000 Logix Designer® software v32 and earlier
Vulnerability Details
CVE-2020-11999: Arbitrary code execution due to API abuse
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.
CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| CVE | Products Affected | Mitigation |
| CVE-2020-11999 CVE-2020-12001 CVE-2020-12003 CVE-2020-12005 |
| Customers are encouraged to apply these patches by following instructions in Knowledgebase articles below:
|
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
- Block all traffic to EtherNet/IP™ devices or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.
General Mitigations
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
Copyright ©2022 Rockwell Automation, Inc.