cnvd - cnvd-2021-34432

CNVD-2021-34432

Vulnerability from cnvd - Published: 2021-05-14

Title

Rockwell Automation Connected Components Workbench反序列化漏洞

Description

Rockwell Automation CCW是一款用于设计和配置应用程序和进行微控制器变成的HMI编辑器和组件级工业产品。 Rockwell Automation Connected Components Workbench存在反序列化漏洞，攻击者可利用该漏洞导致远程执行代码。

Severity

中

Patch Name

Rockwell Automation Connected Components Workbench反序列化漏洞的补丁

Patch Description

Rockwell Automation CCW是一款用于设计和配置应用程序和进行微控制器变成的HMI编辑器和组件级工业产品。 Rockwell Automation Connected Components Workbench存在反序列化漏洞，攻击者可利用该漏洞导致远程执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435

Reference

https://us-cert.cisa.gov/ics/advisories/icsa-21-133-01

Impacted products

Name
Rockwell Automation Connected Components Workbench <=12.00.00

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-27475"
    }
  },
  "description": "Rockwell Automation CCW\u662f\u4e00\u6b3e\u7528\u4e8e\u8bbe\u8ba1\u548c\u914d\u7f6e\u5e94\u7528\u7a0b\u5e8f\u548c\u8fdb\u884c\u5fae\u63a7\u5236\u5668\u53d8\u6210\u7684HMI\u7f16\u8f91\u5668\u548c\u7ec4\u4ef6\u7ea7\u5de5\u4e1a\u4ea7\u54c1\u3002\n\nRockwell Automation Connected Components Workbench\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-34432",
  "openTime": "2021-05-14",
  "patchDescription": "Rockwell Automation CCW\u662f\u4e00\u6b3e\u7528\u4e8e\u8bbe\u8ba1\u548c\u914d\u7f6e\u5e94\u7528\u7a0b\u5e8f\u548c\u8fdb\u884c\u5fae\u63a7\u5236\u5668\u53d8\u6210\u7684HMI\u7f16\u8f91\u5668\u548c\u7ec4\u4ef6\u7ea7\u5de5\u4e1a\u4ea7\u54c1\u3002\r\n\r\nRockwell Automation Connected Components Workbench\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Rockwell Automation Connected Components Workbench\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Rockwell Automation Connected Components Workbench \u003c=12.00.00"
  },
  "referenceLink": "https://us-cert.cisa.gov/ics/advisories/icsa-21-133-01",
  "serverity": "\u4e2d",
  "submitTime": "2021-05-14",
  "title": "Rockwell Automation Connected Components Workbench\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}

CVE-2021-27475 (GCVE-0-2021-27475)

Vulnerability from cvelistv5 – Published: 2022-03-23 19:46 – Updated: 2025-04-16 17:58

Summary

Rockwell Automation Connected Components Workbench v12.00.00 and prior does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

Severity ?

8.6 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/uscert/ics/advisories/icsa-2…	x_refsource_CONFIRM
	https://rockwellautomation.custhelp.com/app/answe…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Rockwell Automation	Connected Components Workbench	Affected: unspecified , ≤ v12.00.00 (custom)

Credits

Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:48:17.351Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-27475",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T17:30:43.735807Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T17:58:45.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Connected Components Workbench",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "lessThanOrEqual": "v12.00.00",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rockwell Automation Connected Components Workbench v12.00.00 and prior does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-23T19:46:38.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Rockwell Automation recommends users of the affected software update to an available software revision (Connected Components Workbench v13.00.00 or later) that addresses the associated risk. "
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Rockwell Automation Connected Components Workbench Deserialization of Untrusted Data",
      "workarounds": [
        {
          "lang": "en",
          "value": "Users who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with Rockwell Automation\u2019s general security guidelines to employ multiple strategies simultaneously.\nIf upgrade is not possible, Rockwell Automation recommends deploying the following mitigations:\n    Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.\n    Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.\n    Use of Microsoft AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at KnowledgeBase Article QA17329 (login required).\n    Ensure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.\n\nFor more information, please see the industrial security advisory from Rockwell Automation. "
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-27475",
          "STATE": "PUBLIC",
          "TITLE": "Rockwell Automation Connected Components Workbench Deserialization of Untrusted Data"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Connected Components Workbench",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "v12.00.00"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Rockwell Automation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Rockwell Automation Connected Components Workbench v12.00.00 and prior does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-502 Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01",
              "refsource": "CONFIRM",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"
            },
            {
              "name": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435",
              "refsource": "CONFIRM",
              "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Rockwell Automation recommends users of the affected software update to an available software revision (Connected Components Workbench v13.00.00 or later) that addresses the associated risk. "
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Users who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with Rockwell Automation\u2019s general security guidelines to employ multiple strategies simultaneously.\nIf upgrade is not possible, Rockwell Automation recommends deploying the following mitigations:\n    Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.\n    Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.\n    Use of Microsoft AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at KnowledgeBase Article QA17329 (login required).\n    Ensure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.\n\nFor more information, please see the industrial security advisory from Rockwell Automation. "
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-27475",
    "datePublished": "2022-03-23T19:46:38.000Z",
    "dateReserved": "2021-02-19T00:00:00.000Z",
    "dateUpdated": "2025-04-16T17:58:45.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-34432

CVE-2021-27475 (GCVE-0-2021-27475)

Tags

Sightings

Nomenclature