Description
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Rockwell Automation / Connected Component WorkbenchAll – v13.00.00
- Rockwell Automation / ISaGRAF WorkbenchAll v6.0 through v6.6.9 – All v6.0 through v6.6.9
- Rockwell Automation / Safety Instrumented Systems WorkstationAll – v1.2 (for Trusted Controllers)
References
- VENDOR_ADVISORYhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-095-01