Rockwell Automation FactoryTalk Linx Software (Update A)

Plan PatchCVSS 9.6ICS-CERT ICSA-20-163-02Jun 11, 2020

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities in Rockwell Automation FactoryTalk Linx and related engineering software allow authenticated users to exploit input validation (CWE-20) and path traversal (CWE-22) flaws. Affected versions include RSLinx Classic v4.11.00 and prior, FactoryTalk Linx versions 6.00, 6.10, 6.11, Studio 5000 Logix Designer v32 and prior, Connected Components Workbench v12 and prior, ControlFLASH v14 and later, ControlFLASH Plus, FactoryTalk Asset Centre v9 and later, Studio 5000 Launcher v31 and later, and FactoryTalk Linx CommDTM. Successful exploitation could allow remote code execution, denial-of-service, or unauthorized access to sensitive information.

What this means

What could happen

An attacker with network access and valid credentials could execute arbitrary code on engineering workstations or servers running affected Rockwell Automation software, potentially allowing them to modify control logic, alter process parameters, or interrupt plant operations. The attacker could also cause denial-of-service conditions or steal sensitive information from manufacturing systems.

Who's at risk

This affects organizations using Rockwell Automation engineering and control software: FactoryTalk Linx, Studio 5000 Logix Designer, Connected Components Workbench, ControlFLASH, FactoryTalk Asset Centre, and related tools. Impact is highest for facilities that use these tools to manage PLCs, drives, and other devices in manufacturing, water/wastewater, power, and process industries. Engineers and technicians who develop and deploy control logic are at direct risk.

How it could be exploited

An attacker with access to the corporate network (or VPN access) and valid login credentials for one of the affected Rockwell tools (FactoryTalk Linx, Studio 5000, or Connected Components Workbench) could exploit input validation or path traversal flaws to execute commands on the engineering workstation. These workstations typically have write access to controllers and PLCs, so the attacker could then push modified logic or configurations to running equipment in the manufacturing zone.

Prerequisites

Network access to the engineering workstation or server running affected Rockwell Automation software
Valid user credentials for the Rockwell software application
The workstation or server must be running one of the vulnerable versions listed

remotely exploitable (via network/VPN)requires valid credentialsno patches available for most affected productsaffects engineering workstations with write access to control deviceshigh CVSS score (9.6)multiple input validation and path traversal flaws

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

1 pending8 EOL

ProductAffected VersionsFix Status

FactoryTalk Linx:6.00 | 6.10 | 6.11No fix yet

RSLinx Classic: v4.11.00 and prior (Versions removed from the scope of this advisory)≤ 4.11.00 (Versions removed from the scope of this advisory)No fix (EOL)

FactoryTalk Linx CommDTM:≥ 1No fix (EOL)

Studio 5000 Launcher:≥ 31No fix (EOL)

FactoryTalk Asset Centre:≥ 9No fix (EOL)

Studio 5000 Logix Designer software:≤ 32No fix (EOL)

Connected Components Workbench:≤ 12No fix (EOL)

ControlFLASH Plus:≥ 1No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDBlock inbound traffic from non-manufacturing networks to TCP ports 2222 and 7153, and UDP port 44818 using firewalls or network security appliances

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXApply Patch Roll-up for CPR9 SRx from Rockwell Automation via their knowledgebase

HOTFIXApply FactoryTalk Linx/Services patch RAID# 1124820

HOTFIXApply FactoryTalk Linx patch RAID# 1126433

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: RSLinx Classic: v4.11.00 and prior (Versions removed from the scope of this advisory), FactoryTalk Linx CommDTM:, Studio 5000 Launcher:, FactoryTalk Asset Centre:, Studio 5000 Logix Designer software:, Connected Components Workbench:, ControlFLASH Plus:, ControlFLASH:. Apply the following compensating controls:

HARDENINGIsolate control system networks and devices behind firewalls, with restricted or no direct connectivity to the business network

HARDENINGIf remote access is required, implement and maintain virtual private networks (VPNs) with the latest patches and security updates

CVEs (3)

CVE-2020-11999 CVE-2020-12003 CVE-2020-12005

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9c53c809-2a9a-419c-b98b-c041aa87a03c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.