Rockwell Automation Connected Components Workbench Improper Input Validation
CVE-2021-27473

6.1MEDIUM

Key Information:

Vendor: Rockwell Automation
Status: Connected Components Workbench
Vendor: CVE Published:; 23 March 2022

Summary

Rockwell Automation Connected Components Workbench v12.00.00 and prior does not sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that, when opened by Connected Components Workbench, will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

Affected Version(s)

Connected Components Workbench <= unspecified

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-133-01

x_refsource_CONFIRM

https://rockwellautomation.custhelp.com/app/answers/answe...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 23, 2022
Vulnerability Reserved
Feb 19, 2021

Credit

Mashav Sapir of Claroty reported these vulnerabilities to Rockwell Automation.