CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Rockwell Automation recently patched two vulnerabilities related to EDS files that can allow malicious actors to expand their access within a targeted organization’s OT network.

Rockwell Automation recently patched two vulnerabilities related to EDS files that can allow malicious actors to expand their access within a targeted organization’s OT network.

The vulnerabilities were discovered by researchers at industrial cybersecurity firm Claroty. Rockwell Automation and the United States Cybersecurity and Infrastructure Security Agency (CISA) published advisories for the vulnerabilities this week.

The security holes are related to the Electronic Data Sheet (EDS) subsystem used by some Rockwell products. An EDS file contains a device’s configuration data and it’s used by network management tools for identification and commissioning purposes.

Claroty researchers discovered that attackers could create special EDS files that would allow them to cause a denial-of-service (DoS) condition or to inject SQL queries in an effort to write or manipulate files on the system.

Rockwell Automation tracks the flaws as CVE-2020-12034, which allows DoS attacks and SQL injection, and CVE-2020-12038, which allows hackers to trigger a DoS condition. According to the vendor, the security holes impact FactoryTalk Linx (previously named RSLinx Enterprise), RSLinx Classic, RSNetWorx, and Studio 5000 Logix Designer.

Sharon Brizinov, principal vulnerability researcher at Claroty, one of the people involved in the discovery of the flaws, said their findings are related to the way the EDS subsystem parses the content of EDS files.

“We were able to create a malicious EDS file so that upon being parsed by Rockwell’s software, a Windows batch file will be written to an arbitrary path, including the startup directory, which can lead to code execution upon restart,” Brizinov told SecurityWeek.

Brizinov explained, “EDS files are simple text files used by various network configuration tools to help identify products and easily commission them on a network. This means when Rockwell’s software (e.g. network discovery utility) connects to a new type of device, it will read and parse the EDS file from the device, and will be able to determine the type of the device and other properties that will help the software to properly communicate further with the device.”

Advertisement. Scroll to continue reading.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The researcher says an attacker could exploit the vulnerabilities by impersonating a new device on the network and use it to present a malicious EDS file to any discovery software.

When Rockwell network discovery tools such as RSLinx scan the network and come across the attacker’s fake device, they will ask for its EDS file. Once the hacker’s malicious EDS file is parsed, the vulnerability is triggered and a new file can be written to the disk of the engineering workstation or human-machine interface (HMI), Brizinov said.

“An attacker who has successfully implemented the attack described above can utilize it to expand their access and reach within the network, thus translating access to the network to an actual foothold on Rockwell’s workstations, including engineering stations and HMIs,” the researcher explained.

“A simple example would be an attacker who succeeds in connecting their own physical device to the shop-floor network, then impersonates a new device and uses the vulnerabilities to gain access to the engineering stations in the network. This emphasizes the need to be able to monitor the network for any new devices and identify them in time to prevent the abuse of automated discovery features that so many vendors offer,” he added.

More information on affected and patched versions is available in Rockwell’s advisory (registration required).

OSIsoft PI System vulnerabilities

Rockwell also informed customers recently that its FactoryTalk software is affected by several vulnerabilities discovered in OSIsoft’s PI System, a data collection and visualization product.

The OSIsoft vulnerabilities were discovered by industrial cybersecurity firm Applied Risk. Some of them can allow an attacker with low-privileged access to gain full control over the targeted system.

OSIsoft told SecurityWeek that it patched the vulnerabilities discovered by Applied Risk in April.

*Updated with information on OSIsoft patches

Related: Rockwell Automation to Acquire Cybersecurity Firm Avnet

Related: Rockwell Automation to Patch Publicly Disclosed Power Monitor Flaws

Related: Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.