CVE-2020-12029
published 2020-07-20CVE-2020-12029: All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to…
PriorityP265high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
44.98%
98.6th percentile
All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | factorytalk_view_se | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/scada/rockwell_factorytalk_rce.rb↗
- →The exploit chains five vulnerabilities: unauthenticated project copy request, directory traversal, race condition, and two information leak vulnerabilities — monitor for unauthenticated project copy requests to FactoryTalk View SE endpoints. ↗
- →The exploit achieves code execution as the IIS user — monitor for anomalous process spawning from IIS worker processes (w3wp.exe) on FactoryTalk View SE hosts. ↗
- →The vulnerability involves improper validation of filenames within a project directory — monitor for directory traversal sequences (e.g., '../') in filenames submitted to FactoryTalk View SE project directory handlers. ↗
- →CVE-2020-12027 (information disclosure) exposes hostnames and file paths — monitor for unauthenticated or low-privilege requests to handlers that return system path or hostname data, which may indicate pre-exploitation reconnaissance chained with CVE-2020-12029. ↗
- →CVE-2020-12028 involves handlers that do not enforce appropriate permissions — monitor for remote authenticated access to privileged data handlers on FactoryTalk View SE without proper authorization checks. ↗
- ·Patch 1126289 for CVE-2020-12029 requires the patch rollup dated 06 Apr 2020 or later (1066644 – Patch Roll-up for CPR9 SRx) to be installed first — applying the patch without the prerequisite rollup may leave the system vulnerable. ↗
- ·All versions of FactoryTalk View SE are affected — there is no unaffected version to fall back to without patching. ↗
- ·For CVE-2020-12028 and CVE-2020-12027, Rockwell recommends enabling IPSec and/or HTTPS per knowledge base articles 109056 and 1126943 as mitigations — these are network-level controls, not code fixes. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation FactoryTalk View SE
cisa_ics·2020-06-18·CVSS 9.0
[CRITICAL] Rockwell Automation FactoryTalk View SE
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation FactoryTalk View SE
Last RevisedJune 18, 2020
Alert CodeICSA-20-170-05
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.0
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: FactoryTalk View SE
- Vulnerabilities: Improper Input Validation, Improper Restriction of Operations Within The Bounds of a Memory Buffer, Permissions, Privileges, and Access Controls, Exposure of Sensitive Information to an Unauthorized Actor
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities may allow a remote authenticate
GHSA
GHSA-v98p-v8hm-3f7c: All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory
ghsa_unreviewed·2022-05-24
CVE-2020-12029 [MEDIUM] CWE-20 GHSA-v98p-v8hm-3f7c: All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory
All versions of FactoryTalk View SE do not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE). Rockwell Automation recommends applying patch 1126289. Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. 1066644 – Patch Roll-up for CPR9 SRx.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.htmlhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05http://packetstormsecurity.com/files/160156/Rockwell-FactoryTalk-View-SE-SCADA-Unauthenticated-Remote-Code-Execution.htmlhttps://rockwellautomation.custhelp.com/app/answers/detail/a_id/1126944https://us-cert.cisa.gov/ics/advisories/icsa-20-170-05
2020-07-20
Published