Rockwell Automation SIS Workstation and ISaGRAF Workbench

Plan Patch7.8ICS-CERT ICSA-23-318-02Nov 14, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Improper file validation in Rockwell Automation Safety Instrumented System Workstation (versions 1.2 to <2.00) and ISaGRAF Workbench (versions 6.6.9 to <6.06.10) allows unprivileged local users to overwrite files with malicious content. This vulnerability has CWE-20 (Improper Input Validation) and carries a CVSS score of 7.8 (High) with a local attack vector. No public exploitation has been reported.

What this means

What could happen

An unprivileged local user could overwrite files on the engineering workstation with malicious programs, potentially compromising the integrity of safety system configurations or ISaGRAF logic programs before they are deployed to control systems.

Who's at risk

Engineering teams responsible for safety-critical systems should prioritize this—specifically those using Rockwell Automation's Safety Instrumented System Workstation or ISaGRAF Workbench to design and program emergency shutdown systems, process interlocks, or other safety logic that runs on PLCs or safety controllers. Water authorities and utilities with SIS protection layers are affected.

How it could be exploited

An attacker with local access to an engineering workstation running the affected software could exploit improper file permission validation to overwrite critical files with malicious code. This could occur via a compromised USB drive, network share, or local script execution if the user is tricked into running untrusted code on the workstation.

Prerequisites

Local access to the engineering workstation
The affected software version must be installed
User action required (e.g., opening a malicious file or script locally)

Local access required (limits remote attack)Requires user interactionCould compromise safety system integrity before deploymentAffects engineering/design phase of safety systems

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Safety Instrumented System Workstation: >=v1.2|<v2.00≥ v1.2|<v2.00v2.00

ISaGRAF Workbench: >=v6.6.9|<v6.06.10≥ v6.6.9|<v6.06.10v6.06.10

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict local access to engineering workstations to authorized personnel only

HARDENINGTrain users not to open unsolicited email attachments or run untrusted scripts on engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Safety Instrumented System Workstation to version 2.00 or later

HOTFIXUpdate ISaGRAF Workbench to version 6.06.10 or later

Long-term hardening

0/1

HARDENINGImplement file integrity monitoring on engineering workstations to detect unauthorized file modifications

CVEs (1)

CVE-2015-9268

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a3175106-96dc-4480-ab47-d42e70cc6ff9