CVE-2020-12005

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.00 and prior,Connected Components Workbench: Version 12 and prior, ControlFLASH: Version 14 and later, ControlFLASH Plus: Version 1 and later, FactoryTalk Asset Centre: Version 9 and later, FactoryTalk Linx CommDTM: Version 1 and later, Studio 5000 Launcher: Version 31 and later Stud, 5000 Logix Designer software: Version 32 and prior is vulnerable. A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a file with bad compression, consuming all the available CPU resources, leading to a denial-of-service condition.

FactoryTalk Linx versiones 6.00, 6.10 y 6.11, RSLinx Classic versiones v4.11.00 y anteriores, Connected Components Workbench: versión 12 y anteriores, ControlFLASH: versión 14 y posteriores, ControlFLASH Plus: versión 1 y posteriores, FactoryTalk Asset Center: versión 9 y posteriores , FactoryTalk Linx CommDTM: versión 1 y posteriores, Studio 5000 Launcher: versión 31 y posteriores a Stud, software 5000 Logix Designer: versión 32 y anteriores son vulnerables. Se presenta una vulnerabilidad en la función de comunicación que permite a los usuarios cargar archivos EDS mediante FactoryTalk Linx. Esto puede permitir a un atacante cargar un archivo con mala compresión, consumiendo todos los recursos de CPU disponibles, conllevando a una condición de denegación de servicio

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-04-21 CVE Reserved
2020-06-15 CVE Published
2023-06-04 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (1)

URL	Tag	Source
https://www.us-cert.gov/ics/advisories/icsa-20-163-02	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Rockwellautomation Search vendor "Rockwellautomation"		Factorytalk Linx Search vendor "Rockwellautomation" for product "Factorytalk Linx"				6.00 Search vendor "Rockwellautomation" for product "Factorytalk Linx" and version "6.00"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Factorytalk Linx Search vendor "Rockwellautomation" for product "Factorytalk Linx"				6.10 Search vendor "Rockwellautomation" for product "Factorytalk Linx" and version "6.10"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Factorytalk Linx Search vendor "Rockwellautomation" for product "Factorytalk Linx"				6.11 Search vendor "Rockwellautomation" for product "Factorytalk Linx" and version "6.11"		-		Affected
Rockwellautomation Search vendor "Rockwellautomation"		Rslinx Classic Search vendor "Rockwellautomation" for product "Rslinx Classic"				<= 4.11.00 Search vendor "Rockwellautomation" for product "Rslinx Classic" and version " <= 4.11.00"		-		Affected