CVE-2020-12001
📋 TL;DR
This vulnerability allows attackers to exploit improper input validation in Rockwell Automation software's file parsing mechanism. By using specially crafted files, attackers can traverse the file system, modify or expose sensitive data, or execute arbitrary code. Affected users include industrial control system operators using FactoryTalk Linx, RSLinx Classic, Connected Components Workbench, and related Rockwell Automation products.
💻 Affected Systems
- FactoryTalk Linx
- RSLinx Classic
- Connected Components Workbench
- ControlFLASH
- ControlFLASH Plus
- FactoryTalk Asset Centre
- FactoryTalk Linx CommDTM
- Studio 5000 Launcher
- Studio 5000 Logix Designer
📦 What is this software?
Factorytalk Linx by Rockwellautomation
Factorytalk Linx by Rockwellautomation
Factorytalk Linx by Rockwellautomation
Rslinx Classic by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, modify critical industrial control system files, steal sensitive operational data, and potentially disrupt industrial processes.
Likely Case
File system traversal leading to data exfiltration or modification of configuration files, potentially causing operational disruptions in industrial environments.
If Mitigated
Limited impact with proper network segmentation and file validation controls in place, potentially only affecting isolated systems.
🎯 Exploit Status
Exploitation requires the victim to process a specially crafted file. No authentication is required once file processing is triggered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Rockwell Automation security advisory for specific patched versions for each product
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1653.html
Restart Required: Yes
Instructions:
1. Review Rockwell Automation security advisory SD1653. 2. Identify affected products in your environment. 3. Download and apply appropriate patches from Rockwell Automation. 4. Restart affected systems. 5. Verify patch installation.
🔧 Temporary Workarounds
Restrict File Processing
windowsLimit processing of untrusted files and implement strict file validation controls
Network Segmentation
allIsolate affected systems from untrusted networks and implement strict firewall rules
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Deploy application whitelisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check installed versions of Rockwell Automation software against affected version lists in security advisory SD1653Check Version:
Check through Windows Control Panel > Programs and Features or use vendor-specific version checking toolsVerify Fix Applied:
Verify installed software versions match or exceed patched versions specified in Rockwell Automation advisory📡 Detection & Monitoring
Log Indicators:
- Unusual file processing activity
- Unexpected system modifications
- Suspicious file access patterns
Network Indicators:
- Unexpected file transfers to/from industrial control systems
- Anomalous network traffic from affected systems
SIEM Query:
source="industrial-control-system" AND (event_type="file_access" OR event_type="process_execution") AND (file_extension IN [".rss", ".l5x", ".acd"] OR process_name IN ["RSLinx.exe", "FactoryTalk.exe"])