OTPulse
FeedAboutContact

Rockwell Automation ISaGRAF

Act Now8.6ICS-CERT ICSA-22-095-01Apr 5, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Rockwell Automation's Connected Component Workbench, ISaGRAF Workbench, and Safety Instrumented Systems Workstation contain unsafe deserialization vulnerabilities (CWE-502) that allow arbitrary code execution when a user opens a malicious project file or configuration. The vulnerability is triggered during file parsing and executes code with the privileges of the user running the application. Connected Component Workbench versions 13.00.00 and earlier are affected. ISaGRAF Workbench versions 6.0 through 6.6.9 are affected. Safety Instrumented Systems Workstation v1.2 and prior (for Trusted Controllers) are affected. The attack requires local access to the workstation and user interaction to open the malicious file.

What this means
What could happen
An attacker with local access to an engineering workstation could execute arbitrary code with the privileges of the logged-in user, potentially modifying control logic, safety configurations, or process parameters in industrial systems managed by these tools.
Who's at risk
Engineering and operations teams using Rockwell Automation's Connected Component Workbench, ISaGRAF Workbench, or Safety Instrumented Systems Workstation on Windows workstations should be aware. This affects anyone maintaining PLCs, safety systems, or other control logic through these tools at water treatment plants, electrical substations, and manufacturing facilities.
How it could be exploited
An attacker must trick an engineer or technician into opening a malicious file (project file, configuration, or script) using Connected Component Workbench, ISaGRAF Workbench, or Safety Instrumented Systems Workstation on a Windows workstation. The vulnerability in the file parsing code allows the attacker to execute code with the user's privileges. If the user has administrator rights, the attacker gains full system control.
Prerequisites
  • Local access to the Windows workstation running the affected tool
  • User must open a malicious file created by the attacker
  • No special credentials or configuration required
Local access required (not remotely exploitable)User interaction required to open malicious fileNo authentication bypassHigh impact if user has administrator privilegesNo public exploit available yetAffects safety systems (Safety Instrumented Systems Workstation)High EPSS score (47.8%)
Exploitability
High exploit probability (EPSS 47.8%)
Affected products (3)
1 with fix2 EOL
ProductAffected VersionsFix Status
Connected Component Workbench: v13.00.00 and prior≤ 13.00.00v20.00 or later
ISaGRAF Workbench: v6.0 though v6.6.9≥ 6.0 | ≤ 6.6.9No fix (EOL)
Safety Instrumented Systems Workstation: v1.2 and prior (for Trusted Controllers)≤ 1.2 (for Trusted Controllers)No fix (EOL)
Remediation & Mitigation
0/7
Do now
0/2
HARDENINGRun Connected Component Workbench, ISaGRAF, and SISW with standard user privileges, not administrator
WORKAROUNDDo not open untrusted or unexpected project files, configuration files, or backups from unknown sources with these tools
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Connected Component Workbench to v20.00 or later
HOTFIXFor ISaGRAF Workbench and Safety Instrumented Systems Workstation, wait for vendor patch (currently no fix available)
HARDENINGDeploy Microsoft AppLocker or equivalent application allow-list to restrict what code can execute on engineering workstations
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: ISaGRAF Workbench: v6.0 though v6.6.9, Safety Instrumented Systems Workstation: v1.2 and prior (for Trusted Controllers). Apply the following compensating controls:
HARDENINGConduct user training on recognizing phishing and social engineering attempts that distribute malicious files
HARDENINGApply least-privilege access to databases and shared resources accessed by these tools; service accounts should have minimum required rights
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/90f44e7a-62f7-4a21-8be5-26f888dc1017