CVE-2022-1118
📋 TL;DR
This vulnerability allows arbitrary code execution through insecure deserialization in Rockwell Automation engineering software. Attackers can craft malicious serialized objects that, when opened by a user in affected workstations, execute arbitrary code with the user's privileges. This affects users of Connected Components Workbench, ISaGRAF Workbench, and Safety Instrumented System Workstation.
💻 Affected Systems
- Connected Components Workbench
- ISaGRAF Workbench
- Safety Instrumented System Workstation
📦 What is this software?
Connected Component Workbench by Rockwellautomation
Isagraf Workbench by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control of the engineering workstation, potentially enabling lateral movement to industrial control systems.
Likely Case
Local privilege escalation leading to unauthorized access to engineering projects, configuration files, and potentially industrial control system networks.
If Mitigated
Limited impact with proper user training and restricted file handling, though risk remains if malicious files are opened.
🎯 Exploit Status
Requires social engineering to get user to open malicious file. Exploit requires crafting specific serialized objects.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Connected Components Workbench v13.01.00+, ISaGRAF Workbench v6.6.10+, Safety Instrumented System Workstation v1.3+
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1653.html
Restart Required: Yes
Instructions:
1. Download latest version from Rockwell Automation Product Compatibility & Download Center. 2. Uninstall affected version. 3. Install patched version. 4. Restart system.
🔧 Temporary Workarounds
Restrict file handling
windowsConfigure systems to only open trusted project files and implement application whitelisting
User training and policies
allTrain users to only open files from trusted sources and implement strict file handling policies
🧯 If You Can't Patch
- Implement strict user access controls and least privilege principles
- Deploy application whitelisting to prevent execution of unauthorized code
- Segment engineering workstations from production networks
- Implement robust email filtering and web content filtering
🔍 How to Verify
Check if Vulnerable:
Check software version in Help > About menu. If version matches affected range, system is vulnerable.Check Version:
Check via Windows Programs and Features or software's About dialogVerify Fix Applied:
Verify installed version is patched version (v13.01.00+ for CCW, v6.6.10+ for ISaGRAF, v1.3+ for SIS Workstation).📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from engineering software
- File access errors in application logs
- Security software alerts for suspicious behavior
Network Indicators:
- Unusual outbound connections from engineering workstations
- Unexpected network scanning from affected systems
SIEM Query:
Process creation where parent process contains 'CCW' OR 'ISaGRAF' OR 'SISWorkstation' AND command line contains suspicious parameters