Loading

PN1588 | File Parsing XML Entity in Multiple Products

Severity:
Medium
Advisory ID:
PN1588
发布日期:
March 28, 2021
上次更新时间:
March 28, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
否
Corrected:
否
Workaround:
否
CVE IDs
CVE-2022-1018
摘要
File Parsing XML Entity in Multiple Products

Revision History
Revision History
Version 1.0 – March 28, 2021

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Component Workbench Version 12.00 and Below
  • ISaGRAF Workbench 6.6.9 and below
  • Safety Instrumented Systems Workstation 1.1 and below

Vulnerability Details

CVE-2022-1018 XML External Entity Leads to Information Leak

When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.

As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.

CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Suggested Actions
Connected Components Workbench Version  12.00 and below Customers should update to Version 13.00 which mitigates this vulnerability.
ISaGRAF Workbench 6.6.9 and below
It is recommended that customers follow the guidelines below until a patch is available.
SIS Workstation 1.1 and below Customers should update to version 1.2 which mitigates this vulnerability.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

  • PN1354 - Industrial Security Advisory Index
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • CVE-2022-1018

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 {0} 隐私政策
CloseClose