Rockwell Automation Logix Designer Studio 5000

Low Risk3.6ICS-CERT ICSA-20-191-02Jul 9, 2020

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Logix Designer Studio 5000 versions 32.00, 32.01, and 32.02 contain an XML external entity (XXE) vulnerability (CWE-611) that could leak hostnames or other resource information when a malicious AML or RDF project file is parsed. Exploitation requires an engineer to open a crafted file, typically via social engineering. This is not remotely exploitable and no known public exploits exist.

What this means

What could happen

An attacker could craft a malicious AML or RDF file that, when opened by an engineer in Logix Designer Studio 5000, discloses hostnames or other resource information from the project file. This is a low-risk information leak with no remote exploitation capability.

Who's at risk

This affects engineering teams who use Rockwell Automation Logix Designer Studio 5000 to develop and maintain PLC and controller programs. Organizations in manufacturing, water treatment, power generation, and other industrial facilities that rely on Logix-based control systems should ensure their engineering staff are aware of this risk.

How it could be exploited

An attacker creates a malicious AML or RDF file and tricks an engineer into opening it (via email or file sharing). When the file is parsed by Logix Designer, the vulnerability leaks internal hostnames or resource names from the engineering workstation or project database.

Prerequisites

The engineer must be tricked into opening a malicious AML or RDF file (social engineering)
Local or file-level access to deliver the file to the engineer
The file must be opened in Logix Designer Studio 5000 versions 32.00, 32.01, or 32.02

Low severity information disclosure onlyRequires social engineering or user interactionNo remote exploitation possibleNo patch available from vendorLow EPSS score (0.2%)Not actively exploited

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Logix Designer Studio 5000: 32.00 32.01 32.0232.00 | 32.01 | 32.02No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDo not open AML or RDF files from unknown or untrusted sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGEstablish a file review process before engineers open project files from external sources

HARDENINGImplement email security controls to detect and block suspicious file attachments

Mitigations - no patch available

0/1

Logix Designer Studio 5000: 32.00 32.01 32.02 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGTrain engineers on social engineering and phishing tactics that may be used to deliver malicious project files

CVEs (1)

CVE-2020-12025

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6bfabb18-cab7-4f1d-8eea-855059bee224