Last week, a CISA advisory was issued for vulnerabilities present in Rockwell Automation EDS Subsystem versions 28.0.1 and prior, which were discovered by Claroty VP of Research Amir Preminger and Principal Vulnerability Researcher Sharon Brizinov. Affected Rockwell Automation products include FactoryTalk Linx software versions 6.00, 6.10, and 6.11; RSLinx Classic 4.11.00 and prior; RSNetWorx versions 28.00.00 and prior; and Studio 5000 Logix Designer version 32 and prior. While not known to have been weaponized in the wild, successful exploitation of these vulnerabilities could lead to an arbitrary file write and/or denial-of-service condition.
The discovered vulnerabilities involve a flaw in how the EDS Subsystem parses and stores the content of EDS files. As part of Claroty’s ongoing white-hat OT security research, Preminger and Brizinov were able to create a malicious EDS file that writes a Windows batch file onto an arbitrary path (which may include the startup directory) when parsed by Rockwell Automation software. Preminger and Brizinov then presented the malicious EDS file to the EDS Subsystem by emulating an in-network device—an attack strategy sometimes known as a reverse honeypot. Upon restart, the malicious code was executed on the targeted devices.
Image 1: Demonstration of the attack carried out by Claroty’s white-hat researchers. When a malicious EDS file is parsed, a file is written to the disk on targeted devices.
EDS files are simple text files used by network configuration tools to help identify products and easily commission them on a network. When Rockwell Automation software (e.g. RSLinx) connects to a new type of device, it will read and parse the device’s EDS to determine the type of the device and other properties, thus allowing the software to communicate appropriately with the device.
Image 2: Example of a normal, non-malicious EDS file.
The discovered vulnerabilities can be exploited remotely, but only from within the local network. By connecting their own device or emulating a device via Python to the shop-floor network and successfully impersonating a new, in-network device, an adversary could present a malicious EDS file to discovery software within a targeted network.
In this case, Rockwell Automation's network discovery tools could encounter an attacker's fake device and ask for its malicious EDS file. Upon reading and parsing the EDS file, the vulnerability will be triggered, and a new file will be written to the disk of Rockwell Automation engineering workstations or HMIs. In doing so, the attack would expand their foothold within the victim’s network to Rockwell Automation equipment.
Image 3: Diagram of the attack vector discovered by Claroty researchers.
Overview of Discovered Vulnerabilities
The following CVEs were assigned for the vulnerabilities in Rockwell Automation EDS Subsystem recently discovered by Preminger and Brizinov:
Improper restriction of operations within the bounds of a memory buffer (CVE-2020-12038): A memory corruption vulnerability in the algorithm that matches square brackets in the EDS subsystem may allow an attacker to craft specialized EDS files to crash the EDSParser COM object, leading to denial-of-service conditions.
Improper neutralization of special elements in an SQL command — ‘SQL Injection’ (CVE-2020-12034): Since the EDS subsystem does not provide adequate input sanitization, an attacker may be allowed to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. As a result, the attacker may be able to carry out a denial-of-service attack or manipulate the SQL engine to write or modify files on the system.
These vulnerabilities underscore why it’s essential for security teams to be able to monitor OT networks and identify new devices and other potential threats in real time, thus preventing the abuse of automated discovery features that so many vendors offer.
In terms of mitigating these specific vulnerabilities, Rockwell Automation recommends applying the available patch by following the instructions in knowledgebase article RAid 1125928 (login required). As a network-based vulnerability mitigation, users are recommended to block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.
In addition, CISA recommends two other general recommendations:
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as VPNs updated to the most current version available. However, keep in mind that a VPN is only as secure as the devices it's connected to.
To learn more about how Claroty can help your team discover and mitigate vulnerabilities within your OT environment, request a demo.