CVE-2022-1118
published 2022-05-17CVE-2022-1118: Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for…
PriorityP276high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
11.37%
95.4th percentile
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rockwell_automation | connected_component_workbench | All – v13.00.00 | — |
| rockwell_automation | isagraf_workbench | — | — |
| rockwell_automation | safety_instrumented_systems_workstation | All – v1.2 (for Trusted Controllers) | — |
| rockwellautomation | connected_component_workbench | <= 13.00.00 | — |
| rockwellautomation | isagraf_workbench | 6.0 – 6.6.9 | — |
| rockwellautomation | safety_instrumented_systems_workstation | <= 1.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability involves deserialization of untrusted data (CWE-502) in Rockwell Automation products; monitor for suspicious file open events in Connected Components Workbench, ISaGRAF Workbench, or Safety Instrumented Systems Workstation processes that may trigger deserialization of crafted malicious objects. ↗
- →Exploitation requires local user interaction (e.g., opening a malicious file); monitor for unexpected child process spawning from Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 through v6.6.9), or Safety Instrumented Systems Workstation (v1.2 and prior) processes. ↗
- →Consider deploying Microsoft AppLocker allowlisting rules targeting the affected Rockwell Automation application executables to detect or block unauthorized code execution attempts originating from these processes. ↗
- ·No known public exploits specifically target this vulnerability at time of advisory publication; exploitation is local (not remotely exploitable), requiring a user to open a malicious serialized file. ↗
- ·Attack vector is local with no privilege required but requires user interaction (CVSS AV:L/AC:L/PR:N/UI:R/S:C); scope is Changed with High impact on Confidentiality, Integrity, and Availability. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cq53-3mvc-ghx7: Connected Components Workbench (v13
ghsa_unreviewed·2022-05-18
CVE-2022-1118 [HIGH] CWE-502 GHSA-cq53-3mvc-ghx7: Connected Components Workbench (v13
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited
VulnCheck
rockwellautomation connected_component_workbench Deserialization of Untrusted Data
vulncheck·2022·CVSS 8.6
CVE-2022-1118 [HIGH] rockwellautomation connected_component_workbench Deserialization of Untrusted Data
rockwellautomation connected_component_workbench Deserialization of Untrusted Data
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited
Affected: rockwellautomation connected_component_workbench
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References:
CISA ICS
Rockwell Automation ISaGRAF
cisa_ics·2022-04-05·CVSS 8.6
[HIGH] Rockwell Automation ISaGRAF
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation ISaGRAF
Last RevisedApril 05, 2022
Alert CodeICSA-22-095-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.6
- ATTENTION: Low attack complexity
- Vendor: Rockwell Automation
- Equipment: ISaGRAF
- Vulnerability: Deserialization of Untrusted Data
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow arbitrary code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following Rockwell Automation products are affected:
- Connected Component Workbench: v13.00.00 and prior
- ISaGRAF Workbench: v6.0 though v6.6.9
- Safety Inst
No detection rules found.
No public exploits indexed.
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02·CVSS 9.8
CVE-2021-22005 [CRITICAL] Network Security Trends: November 2022-January 2023
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: November 2022-January 2023
Yiheng An
Published: May 2, 2023
Trend Reports
Vulnerabilities
Attack analysis
CVE-2021-22005
CVE-2021-31602
CVE-2021-33035
CVE-2021-43287
CVE-2022-1118
CVE-2022-27924
CVE-2022-30136
CVE-2022-31137
CVE-2022-44877
CVE-2022-46169
Exploit in the wild
Network security trends
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
Roxy-WI, a web interface for managing and monitoring RoxyDNS
CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
Cacti, an open-source netw
Unit42
Network Security Trends: November 2022-January 2023
blogs_unit42·2023-05-02
Network Security Trends: November 2022-January 2023
## Executive Summary
Recent observations of exploits used in the wild November 2022-January 2023 reveal that attackers have been using newly published remote code execution vulnerabilities in the following three products:
- Roxy-WI, a web interface for managing and monitoring RoxyDNS
- CWP, a free web hosting control panel (aka Control Web Panel or CentOS Web Panel)
- Cacti, an open-source network monitoring and graphing tool used to track the performance of various network devices, servers and applications
Additionally, attackers have also been taking advantage of a traversal and information disclosure vulnerability in ThoughtWorks GoCD to read sensitive files stored on servers.
In our observations of network security trends, Unit 42 researchers have pinpointed several attacks based o
2022-05-17
Published
Exploited in the wild