Severity:
Critical,
High
Advisory ID:
PN1539
Published Date:
December 17, 2020
Last Updated:
December 17, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Não
Corrected:
Não
Workaround:
Não
CVE IDs
CVE-2020-27267,
CVE-2020-27263
Summary
Vulnerabilities in the Kepware OPC UA server interface may lead to Denial-of-Service Conditions or Data Leak
Revision History
Revision Number
1.0
Revision History
Version 1.0 - December 17, 2020. Initial Release.
Executive Summary
Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding vulnerabilities in the Kepware OPC UA server interface for KEPServer Enterprise, ThingWorx® Kepware Server, and ThingWorx Industrial Connectivity. If successfully exploited, these vulnerabilities may result in the product ceasing to function. This may cause the following impacts: a loss of ability to configure the application, a loss of data, a loss of data acquisition, or a loss communication with control system assets.
Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
KEPServer Enterprise, versions 6.6.504.0; 6.9.572.0
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions
Vulnerability Details
CVE-2020-27263: Heap-based Buffer Overflow
The affected products are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC message could all a remote attacker to crash the server and potentially leak data.
CVSS v3.1 Base Score: 9.1 [Critical]
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CVE-2020-27267: Use After Free
The affected products are vulnerable to a use after free vulnerability, which may allow an attacker to create and close OPC UA connections at a high rate that may cause a server to crash. Successful exploitation of this vulnerability may result in denial-of-service conditions.
CVSS v3.1 Base Score: 7.5 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Mitigation & User Action
Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these options with the general security guidelines to employ multiple strategies simultaneously.
PTC recommends that users upgrade to the most current supported version.
PTC recommends that users upgrade to the most current supported version.
| Recommended User Actions | ||||
| Base Version | ||||
| Affected Product | 6.6 | 6.7 | 6.8 | 6.9 |
| KEPServer Enterprise (Download) | Apply version 6.6.550.0 | -- | -- | Apply version 6.9.584.0 |
| Thingworx Kepware Server (Download) | -- | -- | Apply version 6.8.839.0 | Apply version 8.9.584.0 |
| Thingworx Industrial Connectivity (Download) | Apply version 8.4 (6.6.362.0) | Apply version 8.5(6.7.1068) | -- | -- |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
General Mitigations
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- https://us-cert.cisa.gov/ics/advisories/icsa-20-352-02
Copyright ©2022 Rockwell Automation, Inc.