Severity:
Critical,
High
Advisory ID:
PN1580
Data pubblicazione:
December 16, 2021
Ultimo aggiornamento:
December 16, 2021
Revision Number:
1.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2019-5097,
CVE-2019-5096
Riepilogo
GOAhead Web Server vulnerability in 1783-NATR
Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate
Executive Summary
Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Detailed Information
CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution
A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.CVSS v3.1 Base Score: 9.8/10[Critical}
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.
A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
1783-NATR version 1.005
Risk Mitigation & User Action
Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability | Suggested Actions |
CVE-2019-5096 | Upgrade firmware to version 1.006 to mitigate this vulnerability. |
CVE-2019-5097 | Upgrade firmware to version 1.006 to mitigate this vulnerability. |
General Security Guidelines
Network-based vulnerability mitigations for embedded products
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .
General mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Additional Links
Copyright ©2022 Rockwell Automation, Inc.