Severity:
Low
Advisory ID:
PN1509
Fecha de publicación:
August 11, 2020
Última actualización:
August 11, 2020
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2020-12025
Resumen
Studio 5000 Logix Designer XML External Entity (XXE) Vulnerability Found During Pwn2Own Competition
Revision History
Revision Number
1.1
Revision History
Version 1.1 - August 11, 2020. Updated Recommended User Actions
Version 1.0 - July 8, 2020. Initial Version.
Version 1.0 - July 8, 2020. Initial Version.
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.
Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.
During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.
Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.
Affected Products
Logix Designer Studio 5000 versions 32.00, 32.01, and 32.02.
Vulnerability Details
CVE-2020-12025: XXE Vulnerability Could Lead to Unauthorized Information Disclosure
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.
Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.
CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.
Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.
CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290
Risk Mitigation & User Action
Customers using the affected versions of Studio 5000 Logix Designer are encouraged to update to Studio 5000 Logix Designer version v32.03.
Vulnerability Information | Recommended User Actions |
CVE-2020-12025 | Update to v32.03 of Logix Designer Studio 5000 Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability. |
General Security Guidelines
Social Engineering Mitigation Strategies
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.
- Do not open untrusted AML or RDF files within Studio 5000 Logix Designer.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.