Severity:
Medium
Advisory ID:
PN1588
Published Date:
March 28, 2021
Last Updated:
March 28, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Não
Corrected:
Não
Workaround:
Não
CVE IDs
CVE-2022-1018
Summary
File Parsing XML Entity in Multiple Products
Revision History
Revision History
Version 1.0 – March 28, 2021
Executive Summary
Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- Connected Component Workbench Version 12.00 and Below
- ISaGRAF Workbench 6.6.9 and below
- Safety Instrumented Systems Workstation 1.1 and below
Vulnerability Details
CVE-2022-1018 XML External Entity Leads to Information Leak
When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.
As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.
CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.
As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.
CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Risk Mitigation & User Action
Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
| Product | Suggested Actions |
| Connected Components Workbench Version 12.00 and below | Customers should update to Version 13.00 which mitigates this vulnerability. |
| ISaGRAF Workbench 6.6.9 and below | It is recommended that customers follow the guidelines below until a patch is available. |
| SIS Workstation 1.1 and below | Customers should update to version 1.2 which mitigates this vulnerability. |
If an upgrade is not possible or available, customers should consider deploying the following mitigations:
- Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Copyright ©2022 Rockwell Automation, Inc.