Rockwell Automation ISaGRAF
Monitor5.5ICS-CERT ICSA-22-088-01Mar 29, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Rockwell Automation workbench applications (Connected Component Workbench, ISaGRAF Workbench, and Safety Instrumented Systems Workstation) contain an XML external entity (XXE) injection vulnerability (CWE-611). When a user opens a specially crafted file, the application parses the XML and sends local file data to a remote server controlled by the attacker. This results in loss of confidentiality—sensitive engineering data, configurations, or credentials stored on the workstation could be exposed. The vulnerability is exploitable only through local file interaction; it is not remotely exploitable and requires user action to open a malicious file.
What this means
What could happen
An attacker could extract sensitive files from engineering workstations and send them to a remote server, compromising confidentiality of control system designs, configurations, or credentials. This is a local attack and does not directly impact running operations.
Who's at risk
This affects engineering and configuration teams who use Rockwell Automation design tools: Connected Component Workbench (for programmable controllers and safety systems), ISaGRAF Workbench (for IEC 61131-3 programming), and Safety Instrumented Systems Workstation. Anyone who opens files from untrusted sources with these tools is at risk of having local files exfiltrated.
How it could be exploited
An attacker must trick a user into opening a malicious file (XML or similar) with one of the affected Rockwell Automation workbench applications. The application parses the file and exfiltrates local data to an attacker-controlled server without user knowledge. The attacker must have the ability to deliver and social-engineer the user to open the malicious file.
Prerequisites
- User must open a malicious file with Connected Component Workbench, ISaGRAF Workbench, or Safety Instrumented Systems Workstation
- File must be crafted to trigger the XML external entity (XXE) vulnerability during parsing
- Attacker must be able to deliver the malicious file to the target user (e.g., via email or removable media)
- The workstation must have network connectivity to reach the attacker's remote server
no authentication requiredlow complexityuser interaction required (file open)high EPSS score (9.1%)affects design and safety system files
Exploitability
Moderate exploit probability (EPSS 9.1%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Connected Component Workbench: v12.00 and prior≤ 12.001.2
ISaGRAF Workbench: All< 6.6.101.2
ISaGRAF Workbench: v6.6.9 and prior≤ 6.6.91.2
Safety Instrumented Systems Workstation: v1.1 and prior≤ 1.11.2
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDDo not open untrusted or unexpected files with Rockwell Automation workbench applications; implement user awareness training on phishing and social engineering
HARDENINGRun Connected Component Workbench and other workbench applications as a standard user, not as Administrator
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate Connected Component Workbench to version 13.00 or later
HOTFIXUpdate ISaGRAF Workbench to version 6.6.10 or later
HOTFIXUpdate Safety Instrumented Systems Workstation to version 1.2 or later
Long-term hardening
0/3HARDENINGDeploy application allow-listing (e.g., Microsoft AppLocker) to restrict execution of untrusted applications
HARDENINGApply principle of least privilege to user and service accounts accessing shared resources and databases
HARDENINGIsolate engineering workstations from the Internet and restrict outbound network access to only necessary destinations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ed8e110e-5681-4c45-bfa8-30904ed7a7d6