Severity:
Critical,
High,
Medium
Advisory ID:
PN1510
Published Date:
August 20, 2020
Last Updated:
August 20, 2020
Revision Number:
2.2
Known Exploited Vulnerability (KEV):
Não
Corrected:
Não
Workaround:
Não
CVE IDs
CVE-2020-12027,
CVE-2020-12028,
CVE-2020-12029,
CVE-2020-12031
Summary
FactoryTalk View SE Contains Multiple Vulnerabilities Found During Pwn2Own Competition
Revision History
Revision Number
2.2
Revision History
Version 2.2 - August 20, 2020 Links to additional detections
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.
Executive Summary
Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.
During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).
Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro, Radek Domanski, and Fabius Artrel.
As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).
Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro, Radek Domanski, and Fabius Artrel.
As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk View SE all versions
Vulnerability Details
CVE-2020-12029: Code execution due to improper limitation of a pathname to a restricted directory
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).
CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284
CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270
CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283
CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.
CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).
CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284
CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270
CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.
CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283
CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.
CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk View SE are encouraged to apply the patch or deploy recommended built in security features that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).
Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055
Vulnerability Information | Recommended User Actions |
CVE-2020-12029 | Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx Apply patch BF25481 |
CVE-2020-12031 | Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx Apply patch found in BF25482 |
CVE-2020-12028 CVE-2020-12027 | This vulnerability is remediated by enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in QA46277 and QA59546 to set up IPSec and/or HTTPS, respectively. |
Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).
Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055
General Security Guidelines
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted filed.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.