CVE-2020-12005 in FactoryTalk Linx
Summary
by MITRE
FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/16/2020
The vulnerability identified as CVE-2020-12005 affects multiple FactoryTalk products including Linx versions 6.00 through 6.11, RSLinx Classic v4.11.00 and prior, Connected Components Workbench version 12 and prior, ControlFLASH versions 14 and later, ControlFLASH Plus version 1 and later, FactoryTalk Asset Centre version 9 and later, FactoryTalk Linx CommDTM version 1 and later, Studio 5000 Launcher version 31 and later, and Studio 5000 Logix Designer version 32 and prior. This vulnerability resides within the communication function that permits users to upload EDS files through FactoryTalk Linx, representing a critical security flaw that could be exploited to compromise industrial control systems. The vulnerability is categorized under CWE-400 as an uncontrolled resource consumption issue, specifically manifesting as a denial-of-service condition that can exhaust available CPU resources.
The technical implementation of this vulnerability exploits the file upload functionality within FactoryTalk Linx to process EDS (Electronic Data Sheet) files, which are typically used to define device parameters and communication settings in industrial automation environments. When an attacker uploads a maliciously crafted EDS file with bad compression, the system's decompression routine becomes overwhelmed with processing requirements, causing excessive CPU utilization and ultimately leading to system unresponsiveness or complete denial-of-service. This exploitation mechanism demonstrates a classic resource exhaustion attack pattern where malformed input data triggers inefficient processing behavior that consumes system resources at an unsustainable rate. The vulnerability specifically affects the decompression algorithms used during EDS file processing, which lack proper input validation and resource limiting mechanisms.
The operational impact of this vulnerability extends beyond simple service disruption, particularly within industrial environments where continuous system availability is paramount for operational safety and productivity. In manufacturing and process control environments, the denial-of-service condition could result in production halts, safety system failures, or compromise of critical control functions that rely on FactoryTalk Linx for device communication management. The vulnerability affects multiple products in the FactoryTalk suite, indicating a systemic issue within the communication framework that could potentially impact various industrial automation workflows. This makes the vulnerability particularly concerning as it could affect multiple points within an industrial network infrastructure, creating cascading effects that extend beyond individual systems.
Mitigation strategies for CVE-2020-12005 should focus on implementing comprehensive input validation and resource limiting measures within the EDS file processing functionality. Organizations should consider applying vendor-provided patches or updates that address the specific decompression handling issues in affected versions of FactoryTalk products. Network segmentation and access controls can help limit the potential impact by restricting unauthorized access to the vulnerable upload functionality. Additionally, implementing monitoring solutions that detect unusual CPU utilization patterns can provide early warning of potential exploitation attempts. The vulnerability aligns with ATT&CK technique T1499.004 for network denial-of-service attacks, where adversaries leverage system resource exhaustion to disrupt operations. Organizations should also implement regular security assessments of industrial control systems to identify similar vulnerabilities in other communication protocols and file processing functions that could present analogous risks.