OTPulse
FeedAboutContact

Rockwell Automation DriveTools SP and Drives AOP

Plan Patch7.5ICS-CERT ICSA-21-042-02Feb 11, 2021
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

A writable path directory vulnerability in DriveTools SP (v5.13 and below) and Drives AOP (v4.12 and below) allows local privilege escalation. An attacker with user-level credentials and local access can write malicious code to a world-writable directory that the application executes with elevated privileges, leading to privilege escalation and potential compromise of the engineering workstation. Successful exploitation may result in total loss of confidentiality, integrity, and availability of the system.

What this means
What could happen
An attacker with local access and engineering credentials could escalate privileges on the host running DriveTools or Drives AOP, potentially allowing them to modify drive parameters, alter motor control logic, or disable monitoring—causing unexpected equipment behavior or process shutdown.
Who's at risk
This affects organizations running Rockwell Automation DriveTools SP or Drives AOP on engineering workstations to configure and manage variable frequency drives (VFDs) in water treatment, wastewater, electric utility, and industrial manufacturing environments. Risk is highest in environments where engineering staff use shared workstations or where non-administrator user accounts have broad access to the engineering network.
How it could be exploited
An attacker must have local access to the PC running DriveTools SP or Drives AOP and valid user credentials. They exploit a writable path directory vulnerability to write malicious code to a location where the application executes it with elevated privileges, leading to privilege escalation.
Prerequisites
  • Local access to the PC running DriveTools or Drives AOP
  • Valid user account credentials (non-administrator)
  • Ability to interact with the file system to write to writable directories
  • User interaction may be required (e.g., launching application or clicking a malicious link)
Local exploit only, not remotely exploitableRequires valid user credentials and local file system accessHigh skill level required to exploitAffects software running on engineering PCs, not controllers directlyPrivilege escalation can lead to full system compromise
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
1 with fix1 pending
ProductAffected VersionsFix Status
DriveExecutive: v5.13 and below≤ 5.13No fix yet
Drives AOP: v4.12 and below (supports Logix≤ 4.12v4.13.41 or later
Remediation & Mitigation
0/8
Do now
0/2
WORKAROUNDRun DriveTools and Drives AOP as non-administrator user, not as administrator
WORKAROUNDImplement Microsoft AppLocker or equivalent allow-list application control to restrict code execution
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DriveTools SP to v5.14.41 or later
HOTFIXUpdate Drives AOP to v4.13.41 or later
Long-term hardening
0/4
HARDENINGApply least-privilege principle—grant user/service accounts only the minimum rights needed to shared resources (databases, network shares)
HARDENINGIsolate engineering workstation running DriveTools or Drives AOP from the business network using firewall or network segmentation
HARDENINGDeploy antivirus/antimalware on the engineering workstation
HARDENINGUse VPN with current patches if remote access to the engineering workstation is required
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/57fca7ef-8daa-494e-bc6d-7fea67d16b55
Rockwell Automation DriveTools SP and Drives AOP | CVSS 7.5 - OTPulse