Last week, a CISA advisory was issued for vulnerabilities present in Rockwell Automation EDS Subsystem versions 28.0.1 and prior, which were discovered by Claroty VP of Research Amir Preminger and Principal Vulnerability Researcher Sharon Brizinov.
Affected Rockwell Automation products include FactoryTalk Linx software versions 6.00, 6.10, and 6.11; RSLinx Classic 4.11.00 and prior; RSNetWorx versions 28.00.00 and prior; and Studio 5000 Logix Designer version 32 and prior. While not known to have been weaponized in the wild, successful exploitation of these vulnerabilities could lead to an arbitrary file write and/or denial-of-service condition.
The discovered vulnerabilities involve a flaw in how the EDS Subsystem parses and stores the content of EDS files. As part of Claroty's ongoing white-hat OT security research, Preminger and Brizinov were able to create a malicious EDS file that writes a Windows batch file onto an arbitrary path (which may include the startup directory) when parsed by Rockwell Automation software. Preminger and Brizinov then presented the malicious EDS file to the EDS Subsystem by emulating an in-network device—an attack strategy sometimes known as a reverse honeypot. Upon restart, the malicious code was executed on the targeted devices.
EDS files are simple text files used by network configuration tools to help identify products and easily commission them on a network. When Rockwell Automation software (e.g. RSLinx) connects to a new type of device, it will read and parse the device's EDS to determine the type of the device and other properties, thus allowing the software to communicate appropriately with the device.
The discovered vulnerabilities can be exploited remotely, but only from within the local network. By connecting their own device or emulating a device via Python to the shop-floor network and successfully impersonating a new, in-network device, an adversary could present a malicious EDS file to discovery software within a targeted network.
In this case, Rockwell Automation's network discovery tools could encounter an attacker's fake device and ask for its malicious EDS file. Upon reading and parsing the EDS file, the vulnerability will be triggered, and a new file will be written to the disk of Rockwell Automation engineering workstations or HMIs. In doing so, the attack would expand their foothold within the victim's network to Rockwell Automation equipment.
The following CVEs were assigned for the vulnerabilities in Rockwell Automation EDS Subsystem recently discovered by Preminger and Brizinov:
Improper restriction of operations within the bounds of a memory buffer (CVE-2020-12038): A memory corruption vulnerability in the algorithm that matches square brackets in the EDS subsystem may allow an attacker to craft specialized EDS files to crash the EDSParser COM object, leading to denial-of-service conditions.
Improper neutralization of special elements in an SQL command — 'SQL Injection' (CVE-2020-12034): Since the EDS subsystem does not provide adequate input sanitization, an attacker may be allowed to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. As a result, the attacker may be able to carry out a denial-of-service attack or manipulate the SQL engine to write or modify files on the system.
These vulnerabilities underscore why it's essential for security teams to be able to monitor OT networks and identify new devices and other potential threats in real time, thus preventing the abuse of automated discovery features that so many vendors offer.
In terms of mitigating these specific vulnerabilities, Rockwell Automation recommends applying the available patch by following the instructions in knowledge base article RAid 1125928 (login required). As a network-based vulnerability mitigation, users are recommended to block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.
In addition, CISA recommends two other general recommendations:
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as VPNs updated to the most current version available. However, keep in mind that a VPN is only as secure as the devices it's connected to.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.
CWE-35 Path Traversal:
011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
CWE-522 Insufficiently Protected Credentials:
011209 Intercom does not properly store or protect web server admin credentials.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'):
011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CyberData recommends users update to v22.0.1
CVSS v3: 5.3
CWE-306 Missing Authentication for Critical Function:
011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-288 Authentication Bypass Using an Alternate Path or Channel:
011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8