PN841 | Connected Components Workbench (CCW) ActiveX Component Vulnerability

Introduction

Description

Original Release: October 14, 2014 - Version 1.0

November 3, 2014 - Version 1.1 (UPDATE-A)

<<< START UPDATE-A >>>

A vulnerability has been reported affecting two custom ActiveX components provided with the Connected Components Workbench (CCW) software. If exploited, it will crash a targeted component and it can potentially allow for arbitrary code injection on the computer hosting the component. The vulnerability is both locally and remotely exploitable via a successful social engineering attack, such as an attack that targets a victim or victims via a phishing campaign. At this time there is no known publicly available exploit code.

<<< END UPDATE-A >>>

Rockwell Automation has verified the validity of the vulnerability claim and released a new software build, Version 7.00.00 to address associated risk. In parallel, other CCW software components in this new build have been bolstered as a result of the company’s focus on security-quality and continuous improvement. All customers using CCW software prior to Version 7.00.00 are strongly encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

• All software versions prior to and including Version 6.01.00 of Connected Component Workbench (CCW) Software

  Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.

EXPOSURE

• All computers with Connected Component Workbench (CCW) Software Version 6.01.00 and earlier.

  Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.

<<< START UPDATE-A >>>

VULNERABILITY DETAILS

The reported CCW ActiveX vulnerability is the result of a software coding error that was further compounded by the use of an older version of a compiler used to create the custom ActiveX components. The vulnerability allows an attacker to send an arbitrary, out of range value to a particular property of an affected ActiveX component to crash its operation and then potentially allow for an execution of unauthorized code on the computer hosting the software.

Neither the CCW software, nor the vulnerable ActiveX components necessarily need to be running for an attack to be successful.

The attack vector to exploit this vulnerability first requires a user with local access to the computer containing both a susceptible ActiveX component and a container to either knowingly or unknowingly execute some form of malicious code. Such code could likely be delivered via the loading of an infected webpage or some document opened in a web browser or other container capable of running ActiveX controls. A plausible attack scenario could begin with a phishing attack, whereby a victim is convinced to open and run a malicious HTML file or other such infected file, or to visit a maliciously-altered webpage that has been tailored to specifically exploit this vulnerability in an affected ActiveX component.

<<< END UPDATE-A >>>

Potential impacts from a successful attack could include a simple crash of CCW software (e.g. Denial of Service), thereby requiring a software restart to recover from the crash. In more extreme cases, the victim may not even be aware of vulnerability exploitation since neither CCW nor an affected ActiveX component needs to be running for an attacker to inject malicious code to the susceptible software component. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

RISK MITIGATION AND REMEDIATION

A new version of CCW software, Version 7.00.00 has been released to address associated risk with the vulnerability in the affected ActiveX components. This same software release also includes added software improvements to enhance product security and resilience against similar malicious attacks. All customers using CCW software are encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience.

The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.

1. Upgrade Connected Component Workbench (CCW) software as follows:

   Software	Catalog Number	Affected Firmware	Recommendation
   Connected Component Workbench (CCW) Software	CCW - Free and Developer Edition (Dev Ed)	All CCW software versions prior to, and including Version 6.01.00	Upgrade to CCW Version 7.00.00 or higher (available now). Refer to additional recommended risk mitigations as provided herein.
   Current CCW software can be obtained here: http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112 Product Search: CCW Version: 7.00.00 (or higher)

2. Limit access to computers with Connected Components Workbench (CCW) to only authorized personnel.
3. Run Connected Components Workbench (CCW) software as User, not as an Administrator
4. Use only trusted software and software patches, and download and interact only with trusted files and webpages.
5. Restrict network access for computers that include Connected Components Workbench software.
6. Where possible, run newest version of Internet Explorer web browser and other ActiveX containers.
7. Where possible, disable ActiveX capabilities in web browsers or consider using browsers without ActiveX support.
8. Closely scrutinize any user-prompts received from web browsers or other ActiveX containers.
9. Employ layered security, defense-in-depth methods, including administrative controls such as emloyee training and awareness, and technical controls such as network segregation and segmentation practices in the system design to restrict and control access to individual products and control networks.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status