Severity:
Critical
Advisory ID:
PN1511
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2020-12001
Summary
FactoryTalk Linx Path Traversal Vulnerability Found During Pwn2Own Competition
Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 18, 2020. Initial Release.
Version 1.0 - June 18, 2020. Initial Release.
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.
Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.
Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
- FactoryTalk® Linx software (previously called RSLinx® Enterprise) versions 6.00, 6.10, and 6.11
- Connected Components Workbench v12 and earlier
- ControlFLASH™ Plus v1 and later
- ControlFLASH™ v14 and later
- FactoryTalk® Asset Centre v9 and later
- FactoryTalk® Linx CommDTM v1 and later
- Studio 5000® Launcher v31 and later
- Studio 5000 Logix Designer® v32 and earlier
Vulnerability Details
CVE-2020-12001: Arbitrary code execution due to directory traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.
CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298
Risk Mitigation & User Action
Customers using the affected products are encouraged to apply the patch that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Information | Recommended User Actions |
CVE-2020-12001 | Customers are encouraged to apply these patches by following instructions in Rockwell Automation Knowledgebase articles below:
|
General Security Guidelines
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted files.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.