CVE-2021-27473 - OpenCVE

Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rockwellautomation	Connected Components Workbench

Configuration 1 [-]

cpe:2.3:a:rockwellautomation:connected_components_workbench:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435
https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2022-03-23T19:46:36

Updated: 2024-08-03T20:48:17.293Z

Reserved: 2021-02-19T00:00:00

Link: CVE-2021-27473

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-23T20:15:09.153

Modified: 2022-03-29T17:50:48.963

Link: CVE-2021-27473

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Connected Components Workbench", "vendor": "Rockwell Automation", "versions": [{"lessThanOrEqual": "v12.00.00", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation."}], "descriptions": [{"lang": "en", "value": "Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-23T19:46:36", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"}], "solutions": [{"lang": "en", "value": "Rockwell Automation recommends users of the affected software update to an available software revision (Connected Components Workbench v13.00.00 or later) that addresses the associated risk. "}], "source": {"discovery": "UNKNOWN"}, "title": "Rockwell Automation Connected Components Workbench Improper Input Validation", "workarounds": [{"lang": "en", "value": "Users who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with Rockwell Automation\u2019s general security guidelines to employ multiple strategies simultaneously.\nIf upgrade is not possible, Rockwell Automation recommends deploying the following mitigations:\n Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.\n Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.\n Use of Microsoft AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at KnowledgeBase Article QA17329 (login required).\n Ensure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.\n\nFor more information, please see the industrial security advisory from Rockwell Automation. "}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2021-27473", "STATE": "PUBLIC", "TITLE": "Rockwell Automation Connected Components Workbench Improper Input Validation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Connected Components Workbench", "version": {"version_data": [{"version_affected": "<=", "version_value": "v12.00.00"}]}}]}, "vendor_name": "Rockwell Automation"}]}}, "credit": [{"lang": "eng", "value": "Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01", "refsource": "CONFIRM", "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"}, {"name": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435", "refsource": "CONFIRM", "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"}]}, "solution": [{"lang": "en", "value": "Rockwell Automation recommends users of the affected software update to an available software revision (Connected Components Workbench v13.00.00 or later) that addresses the associated risk. "}], "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Users who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with Rockwell Automation\u2019s general security guidelines to employ multiple strategies simultaneously.\nIf upgrade is not possible, Rockwell Automation recommends deploying the following mitigations:\n Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.\n Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.\n Use of Microsoft AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at KnowledgeBase Article QA17329 (login required).\n Ensure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.\n\nFor more information, please see the industrial security advisory from Rockwell Automation. "}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:48:17.293Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-27473", "datePublished": "2022-03-23T19:46:36", "dateReserved": "2021-02-19T00:00:00", "dateUpdated": "2024-08-03T20:48:17.293Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rockwellautomation:connected_components_workbench:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE932FFA-B8FB-41E4-B994-1B898A56C514", "versionEndIncluding": "12.00.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful."}, {"lang": "es", "value": "Rockwell Automation Connected Components Workbench v12.00.00 y anteriores, no sanea las rutas especificadas dentro del archivo .ccwarc durante la extracci\u00f3n. Este tipo de vulnerabilidad tambi\u00e9n es conocida com\u00fanmente como Zip Slip. Un atacante local y autenticado puede crear un archivo .ccwarc malicioso que, cuando sea abierto por Connected Components Workbench, permitir\u00e1 al atacante alcanzar los privilegios del software. Si el software es ejecutado en el nivel SYSTEM, el atacante obtendr\u00e1 privilegios de nivel de administrador. Es requerida una interacci\u00f3n del usuario para que esta explotaci\u00f3n tenga \u00e9xito"}], "id": "CVE-2021-27473", "lastModified": "2022-03-29T17:50:48.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.7, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2022-03-23T20:15:09.153", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}