CVE-2022-1018: ICSA-22-088-01 Rockwell Automation ISaGRAF
First published: Tue Mar 29 2022(Updated: )
When opening a malicious solution file provided by an attacker, the application suffers from an XML external entity vulnerability due to an unsafe call within a dynamic link library file. An attacker could exploit this to pass data from local files to a remote web server, leading to a loss of confidentiality.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rockwell Automation Connected Components Workbench | ||
| Rockwell Automation Connected Components Workbench | <=12.0 | |
| Isagraf | <=6.6.9 | |
| Rockwell Automation Safety Instrumented Systems Workstation | <=1.1 |
Remedy
Rockwell Automation encourages users to update to the available software revisions below: Connected Component Workbench: Update to v13.00 ISaGRAF Workbench: For now, use mitigations listed until a patch is released. More mitigation actions are planned. Safety Instrumented Systems Workstation: Update to v1.2
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-1018?
CVE-2022-1018 has a severity rating of critical due to the potential for remote data exfiltration.
How do I fix CVE-2022-1018?
To remediate CVE-2022-1018, update the affected software to the latest version that addresses this vulnerability.
What software is affected by CVE-2022-1018?
CVE-2022-1018 affects Rockwell Automation's Connected Components Workbench, Isagraf, and Safety Instrumented Systems Workstation products.
What can an attacker achieve by exploiting CVE-2022-1018?
An attacker exploiting CVE-2022-1018 could potentially exfiltrate sensitive data from local files to a remote server.
Is there a workaround for CVE-2022-1018 until a patch is applied?
A workaround for CVE-2022-1018 involves avoiding the opening of untrusted or malicious solution files.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/title
- agent/description
- agent/first-publish-date
- agent/severity
- agent/references
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/rockwell automation
- canonical/rockwell automation connected components workbench
- vendor/rockwellautomation
- version/rockwell automation connected components workbench/12.0
- canonical/isagraf
- version/isagraf/6.6.9
- canonical/rockwell automation safety instrumented systems workstation
- version/rockwell automation safety instrumented systems workstation/1.1