Loading

PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products

Severity:
High,
Medium
Advisory ID:
PN1595
公開日:
September 23, 2022
最終更新日:
September 23, 2022
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
いいえ
Workaround:
いいえ
CVE IDs
CVE-2022-0778
概要
OpenSSL Infinite Loop in Rockwell Automation Products

Revision History
Revision Number
1.1
Revision History
Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
  • FactoryTalk® Linx Gateway (Version 6.30 and earlier)
  • Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
  • Factory Talk View (Version 11.00 - Version 13.00)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Suggested Actions
ThinManager This issue has been patched.  Customers should follow the patch instructions as follows:
If using v12.0.0-12.0.2 >> Download v12.0.3
If using v12.1.0-12.1.3 >> Download v12.1.4
Factory Talk Linx Gateway Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk Linx OPC UA Connector Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk View Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.

If an upgrade is not possible or available, customers should consider implementing the following mitigations:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Copyright ©2022 Rockwell Automation, Inc.