Severity:
Medium
Advisory ID:
PN1542
Data pubblicazione:
January 14, 2021
Ultimo aggiornamento:
January 14, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-3011
Riepilogo
Side-Channel Issue on NXP 7x Secure Authentication Microcontrollers May Lead to ECC Key Extraction
Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 14, 2021. Initial Release.
Executive Summary
A report has been released regarding a vulnerability in the NXP 7x series microcontroller. If successfully exploited, this vulnerability may result in the extraction of a unique private key. This unique key is used to verify the authenticity of the affected Rockwell Automation® products.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- 1756-EN2T
- 1756-EN4T
- 1756-EN4TR
- ControlLogix® 5580 Series
- 1756-L81EK, -L82EK, -L83EK, -L84EK, -L85EK
- 1756-L81EP, -L83EP, -L85EP
- 1756-L81E-NSE, 1756-L82E-NSE, 1756-L83E-NSE, 1756-L84E-NSE, 1756-L85E-NSE
- 1756-L81EXT, 1756-L82EXT, 1756-L83EXT, 1756-L84EXT, 1756-L85EXT
- GuardLogix 5580 Series
- 1756-L81ES, -L82ES, -L83ES, -L84ES, -L8SP
- 1756-L81ESK, -L82ESK, -L83ESK, -L84ESK, -L8SPK
- Compact GuardLogix® 5380 Series
- 5069-L306ERMS2
- 5069-L306ERMS3
- 5069-L306ERS2
- 5069-L3100ERMS2
- 5069-L3100ERMS3
- 5069-L3100ERS2
- 5069-L310ERMS2
- 5069-L310ERMS3
- 5069-L310ERS2
- 5069-L320ERMS2
- 5069-L320ERMS2K
- 5069-L320ERMS3
- 5069-L320ERMS3K
- 5069-L320ERS2
- 5069-L320ERS2K
- 5069-L330ERMS2
- 5069-L330ERMS2K
- 5069-L330ERMS3
- 5069-L330ERMS3K
- 5069-L330ERS2
- 5069-L330ERS2K
- 5069-L340ERMS2
- 5069-L340ERMS3
- 5069-L340ERS2
- 5069-L350ERMS2
- 5069-L350ERMS2K
- 5069-L350ERMS3
- 5069-L350ERMS3K
- 5069-L350ERS2
- 5069-L350ERS2K
- 5069-L380ERMS2
- 5069-L380ERMS3
- 5069-L380ERS2
- CompactLogix™ 5380 Series
- 5069-L306ER
- 5069-L306ERM
- 5069-L310ER
- 5069-L310ER-NSE
- 5069-L310ERM
- 5069-L320ER
- 5069-L320ERM
- 5069-L320ERMK
- 5069-L320ERP
- 5069-L330ER
- 5069-L330ERM
- 5069-L330ERMK
- 5069-L340ER
- 5069-L340ERM
- 5069-L340ERP
- 5069-L350ERM
- 5069-L350ERMK
- 5069-L380ERM
- 5069-L3100ERM
- 5069-AEN2TR
- CompactLogix™ 5480 Series
- 5069-L4100ERMW
- 5069-L4200ERMW
- 5069-L430ERMW
- 5069-L450ERMW
- 5069-L46ERMW
- iTRAK® 5730 Small Frame
- iTRAK 5750C
- Kinetix® 5700 Series B - DAI, HPI, LFI, AFE
- PowerFlex® 6000T
- PowerFlex 755 TL
- PowerFlex 755 TM
- PowerFlex 755 TR
Vulnerability Details
CVE-2021-3011: Side-Channel Leakage of Unique ECC Private Key on NXP 7X Series Chip
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.
CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.
CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Risk Mitigation & User Action
Rockwell Automation encourages customers, when possible, to follow industry best practices for physical access including, but not limited to:
• Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
• Providing training and communication to personnel to raise awareness of threats.
• Implementing physical barriers such as locked cabinets.
Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
• Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
• Providing training and communication to personnel to raise awareness of threats.
• Implementing physical barriers such as locked cabinets.
Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
General Security Guidelines
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
- PN1354 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- CVE-2021-3011
Copyright ©2022 Rockwell Automation, Inc.