Organizations Informed of Over a Dozen Vulnerabilities in Rockwell Automation Products – Source: www.securityweek.com

Rockwell Automation customers have been informed this week about potentially serious vulnerabilities found and patched in several products. The timing coincides with reports of an investigation conducted by the US into the potential cyber risks associated with the automation giant’s operations in China.

Rockwell Automation published six new security advisories this week (registration required) and four of them have also been distributed by the US Cybersecurity and Infrastructure Security Agency (CISA). The advisories describe a total of more than a dozen vulnerabilities. 

One advisory warns organizations that Kinetix 5500 industrial control routers manufactured between May 2022 and January 2023 — specifically devices running firmware version 7.13 — have Telnet and FTP ports open by default, which could allow hackers to access the device. This critical vulnerability is tracked as CVE-2023-1834 and it has been patched with the release of firmware version 7.14. 

Two critical flaws have been found in Rockwell Automation’s PanelView 800 graphics terminals. The security holes are related to the WolfSSL component and they could lead to a heap buffer overflow, but devices are only impacted if the email feature is enabled in the project file — the feature is disabled by default.

Three high-severity buffer overflows, which can allow an attacker to commit or execute unauthorized code, have been found in the Arena event simulation and automation software.

The company’s ThinManager software management platform is affected by an issue related to ciphers. A malicious actor could leverage the weakness to decrypt traffic between the client and server API.

One of the two advisories that were published by Rockwell but were not picked up by CISA describes a cross-site request forgery in FactoryTalk Vantagepoint. The flaw can be exploited to impersonate a legitimate user by getting the target to click on a malicious link. 

The second advisory informs customers about 10 cross-site scripting (XSS) vulnerabilities in some ArmorStart ST distributed motor controllers that can be used to view and modify sensitive data in the web interface or make it unavailable. User interaction is required for exploitation.

Rockwell Automation’s advisories now include an entry for each vulnerability specifying whether the bug is included in CISA’s Known Exploited Vulnerabilities (KEV) catalog. None of the flaws described in the Thursday advisories are included. 

Earlier this week, The Wall Street Journal reported that several US government departments are investigating Rockwell’s operations at a facility in Dalian, China, where employees might have access to information that could be used to compromise the systems of the company’s customers.

There has been some concern that those employees could find vulnerabilities in Rockwell software and exploit them in zero-day attacks aimed at systems in the United States.

CISA has published over a dozen security advisories describing Rockwell Automation flaws in the past year. CISA’s advisories inform organizations about more than 30 vulnerabilities affecting Rockwell products, including many rated ‘critical’ or ‘high’.

Related: New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs

Related: Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks