Severity:
High,
Medium
Advisory ID:
PN1565
Fecha de publicación:
May 13, 2021
Última actualización:
May 13, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-27473,
CVE-2021-27471,
CVE-2021-27475
Resumen
Connected Components Workbench Vulnerable to Multiple Phishing-Style Attacks
Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 13, 2021. Initial Release.
Executive Summary
Rockwell Automation received a report from Mashav Sapir of Claroty regarding three vulnerabilities in Connected Components Workbench™. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
Connected Components Workbench v12.00.00 and below.
Vulnerability Details
CVE-2021-27475: Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.
CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.
CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
If upgrade is not possible, customers should consider deploying the following mitigations:
| Vulnerability | Suggested Actions |
| CVE-2021-27475 CVE-2021-27471 CVE-2021-27471 | Upgrade to Connected Components Workbench v13.00.00 or later. (Link) |
If upgrade is not possible, customers should consider deploying the following mitigations:
- Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft® AppLocker or another similar allow list application that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.