Severity:
High,
Medium
Advisory ID:
PN1600
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
Não
Corrected:
Não
Workaround:
Não
CVE IDs
CVE-2022-2463,
CVE-2022-2465,
CVE-2022-2464
Summary
ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks
Revision History
Revision History
Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected
Executive Summary
Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- ISaGRAF Workbench v6.0 though v6.6.9
- AADvance-Trusted Safety Instrumented System Workstation v1.1 and below
Vulnerability Details
CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution
ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE-2022-2463: Improper input sanitization may lead to privilege escalation
ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Vulnerability | Product | Suggested Actions |
| CVE-2022-2463 CVE-2022-2464 CVE-2022-2465 | ISaGRAF Workbench | Upgrade to ISaGRAF Workbench v6.6.10 or later. |
| CVE-2022-2463 CVE-2022-2464 | AAdvance-Trusted SIS Workstation | Upgrade to AADvance-Trusted SIS Workstation 1.2 or later |
| CVE-2022-2465 | AAdvance-Trusted SIS Workstation | It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue. |
If immediate upgrade is not possible, customers should consider implementing the following mitigations:
- Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Security Guidelines
If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Additional Links
Copyright ©2022 Rockwell Automation, Inc.