9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
71.4%
An attacker could leverage this vulnerability to execute code within the context of the affected system, which may threaten the integrity and confidentiality of data or cause a denial-of-service condition.
B&R Automation reports the vulnerabilities affect the following versions of Automation Studio, a programmable logic controller (PLC) automation programming software:
If the PLC has not been sufficiently secured, an attacker could manipulate stored project information. Alternatively, a remote attacker may use spoofing techniques to connect B&R Automation Studio to an attacker-controlled device with manipulated project files. When using project upload in B&R Automation Studio, such crafted projects will be loaded and opened in the security context of Automation Studio. This may result in remote code execution, information disclosure, and denial-of-service of the system running B&R Automation Studio.
CVE-2021-22289 has been assigned to this vulnerability. A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Mr. Mashav Sapir of Claroty reported this vulnerability to CISA.
Note: This feature is not activated by default. Do not use or enable the feature if it is not necessary for projects.
B&R recommends users using this vulnerable project upload feature employ the following mitigations to minimize the risk of vulnerability exploitation:
In general, B&R recommends implementing B&R Cyber Security guidelines. For additional information and support, users should contact B&R directly.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
No known public exploits specifically target this vulnerability. This vulnerability has a high attack complexity.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-22289
www.br-automation.com/
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/20.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=B%26R%20Industrial%20Automation%20Automation%20Studio%204+https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-05
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.br-automation.com/en/service/cyber-security/
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-05&title=B%26R%20Industrial%20Automation%20Automation%20Studio%204
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-05
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-228-05
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=B%26R%20Industrial%20Automation%20Automation%20Studio%204&body=www.cisa.gov/news-events/ics-advisories/icsa-22-228-05
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
71.4%