Rockwell Automation recently patched two vulnerabilities related to EDS files that can allow malicious actors to expand their access within a targeted organization’s OT network.
The vulnerabilities were discovered by researchers at industrial cybersecurity firm Claroty. Rockwell Automation and the United States Cybersecurity and Infrastructure Security Agency (CISA) published advisories for the vulnerabilities this week.
The security holes are related to the Electronic Data Sheet (EDS) subsystem used by some Rockwell products. An EDS file contains a device’s configuration data and it’s used by network management tools for identification and commissioning purposes.
Claroty researchers discovered that attackers could create special EDS files that would allow them to cause a denial-of-service (DoS) condition or to inject SQL queries in an effort to write or manipulate files on the system.
Rockwell Automation tracks the flaws as CVE-2020-12034, which allows DoS attacks and SQL injection, and CVE-2020-12038, which allows hackers to trigger a DoS condition. According to the vendor, the security holes impact FactoryTalk Linx (previously named RSLinx Enterprise), RSLinx Classic, RSNetWorx, and Studio 5000 Logix Designer.
Sharon Brizinov, principal vulnerability researcher at Claroty, one of the people involved in the discovery of the flaws, said their findings are related to the way the EDS subsystem parses the content of EDS files.
“We were able to create a malicious EDS file so that upon being parsed by Rockwell’s software, a Windows batch file will be written to an arbitrary path, including the startup directory, which can lead to code execution upon restart,” Brizinov told SecurityWeek.
Brizinov explained, “EDS files are simple text files used by various network configuration tools to help identify products and easily commission them on a network. This means when Rockwell’s software (e.g. network discovery utility) connects to a new type of device, it will read and parse the EDS file from the device, and will be able to determine the type of the device and other properties that will help the software to properly communicate further with the device.”
The researcher says an attacker could exploit the vulnerabilities by impersonating a new device on the network and use it to present a malicious EDS file to any discovery software.
When Rockwell network discovery tools such as RSLinx scan the network and come across the attacker’s fake device, they will ask for its EDS file. Once the hacker’s malicious EDS file is parsed, the vulnerability is triggered and a new file can be written to the disk of the engineering workstation or human-machine interface (HMI), Brizinov said.
“An attacker who has successfully implemented the attack described above can utilize it to expand their access and reach within the network, thus translating access to the network to an actual foothold on Rockwell’s workstations, including engineering stations and HMIs,” the researcher explained.
“A simple example would be an attacker who succeeds in connecting their own physical device to the shop-floor network, then impersonates a new device and uses the vulnerabilities to gain access to the engineering stations in the network. This emphasizes the need to be able to monitor the network for any new devices and identify them in time to prevent the abuse of automated discovery features that so many vendors offer,” he added.
More information on affected and patched versions is available in Rockwell’s advisory (registration required).
OSIsoft PI System vulnerabilities
Rockwell also informed customers recently that its FactoryTalk software is affected by several vulnerabilities discovered in OSIsoft’s PI System, a data collection and visualization product.
The OSIsoft vulnerabilities were discovered by industrial cybersecurity firm Applied Risk. Some of them can allow an attacker with low-privileged access to gain full control over the targeted system.
OSIsoft told SecurityWeek that it patched the vulnerabilities discovered by Applied Risk in April.
*Updated with information on OSIsoft patches