CVE-2022-1118

17.05.2022, 20:15

Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.6 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
icscert	CNA	8.6 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Vendor	Product	Version
rockwellautomation	connected_component_workbench	𝑥 ≤ 13.00.00
rockwellautomation	isagraf_workbench	6.0 ≤ 𝑥 ≤ 6.6.9
rockwellautomation	safety_instrumented_systems_workstation	𝑥 ≤ 1.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://www.cisa.gov/uscert/ics/advisories/icsa-22-095-01