Rockwell EDS subsystem flaws threaten OT configuration workflows

High-level summary

CISA advisory ICSA-20-140-01 published on 20 May 2020 disclosed multiple vulnerabilities in Rockwell Automation's EDS (Electronic Data Sheet) Subsystem, a component used across the company's industrial control system product line. Security researchers from Claroty identified SQL injection and memory corruption vulnerabilities that could enable denial of service, arbitrary file writes, or database manipulation on engineering workstations.

EDS Subsystem Context

The EDS Subsystem plays a critical role in Rockwell Automation's industrial control ecosystem:

• Device registration: EDS files describe device characteristics enabling engineering tools to recognize and configure industrial devices.
• Catalog management: The subsystem maintains a database of device profiles used by Studio 5000, RSLogix, and FactoryTalk applications.
• Cross-platform usage: Vulnerabilities affect ControlLogix, GuardLogix, and other Rockwell product families using the shared subsystem.
• Integration point: Device profiles often come from third parties (device vendors, system integrators), creating supply chain exposure.

How the vulnerability works

The advisory documents two primary vulnerability classes:

• CVE-2020-12034 (SQL Injection): The EDS Subsystem fails to properly sanitize input from EDS files before constructing SQL queries. Attackers can craft malicious EDS files containing SQL injection payloads that execute when the file is imported, enabling database manipulation or file system access.
• CVE-2020-12038 (Memory Corruption): Improper handling of EDS file content can cause memory corruption in the EDS Parser COM object, potentially enabling denial of service or code execution.

CVSSv3 scores range from 4.3 to 7.5, reflecting the local attack vector but significant potential impact on engineering workstations.

Attack Scenarios

Exploitation could occur through several vectors:

• Malicious EDS distribution: Attackers distribute weaponized EDS files through compromised vendor websites, email, or removable media.
• Supply chain compromise: Compromised device vendors or system integrators distribute malicious EDS files as part of normal product support.
• Insider threat: Malicious insiders with access to engineering environments introduce crafted EDS files.
• Social engineering: Convincing engineers to import EDS files from untrusted sources for "new device support."

Successful exploitation compromises engineering workstations that then push configuration to PLCs and other industrial devices.

Industrial Control System Impact

Engineering workstation compromise has cascading effects:

• PLC programming access: Compromised workstations may be used to modify PLC programs, affecting physical processes.
• Network pivoting: Engineering workstations often have access to both IT and OT networks, enabling lateral movement.
• Credential theft: Engineering tools may store credentials for accessing industrial devices.
• Project theft: Engineering projects contain intellectual property about industrial processes and configurations.
• Safety system access: GuardLogix safety controllers may be accessible from compromised engineering stations.

Remediation Steps

If you are affected, implement full remediation:

• Apply patches: Update EDS Subsystem to version 29 or later, available through Rockwell Automation's support portal.
• Restrict EDS imports: Limit EDS file import permissions to trusted engineers and require approval for new device profiles.
• Validate EDS sources: Only import EDS files from known, trusted sources. Verify file integrity through checksums or digital signatures where available.
• Network segmentation: Isolate engineering workstations on dedicated network segments with controlled access to OT networks.
• Monitor for exploitation: Implement detection for EDS Parser COM crashes, unexpected database modifications, or file system changes on engineering workstations.

Engineering Workstation Hardening

Beyond specific EDS remediation, harden engineering workstations:

• Deploy endpoint detection and response (EDR) solutions.
• Implement application allowlisting to restrict executable code.
• Maintain current antivirus with industrial-aware signatures.
• Enforce least-privilege access for engineering users.
• Capture and review audit logs for workstation activity.

Closing analysis

ICSA-20-140-01 shows how vulnerabilities in engineering tools can create pathways to compromise industrial control systems. If you are affected, focus on patching while implementing compensating controls and engineering workstation hardening to reduce risk during remediation.

More on this topic

Further reading from our research library.

Infrastructure · Credibility 73/100 · June 18, 2020

Rockwell FactoryTalk Services Platform vulnerability

CISA’s ICSA-20-170-04 warns that the FactoryTalk Services Platform redundancy service fails to validate identifiers, allowing adjacent attackers to execute COM objects with elevated privileges across food…

Infrastructure · Credibility 73/100 · June 2, 2020

ABB System 800xA permission flaws demand workstation hygiene

CISA’s ICSA-20-154-01 advisory shows weak default permissions in ABB System 800xA tooling let authenticated engineers corrupt applications or escalate privileges, so OT teams must accelerate upgrades, lock down service…

Infrastructure · Credibility 73/100 · May 5, 2020

jSerialComm search-path flaws expose EcoStruxure IT Gateway operators

CISA’s ICSA-20-126-01 bulletin explains how Fazecast’s jSerialComm library and Schneider Electric’s EcoStruxure IT Gateway inherit an uncontrolled search path, letting unsigned DLLs execute as soon as technicians connect…

Infrastructure · Credibility 73/100 · May 1, 2020

Executive Order 13920 on bulk-power system security

Executive Order 13920 declares a national emergency over foreign-supplied bulk-power equipment, prohibiting risky transactions and directing DOE to pre-qualify trusted vendors while forming a federal task force for…

Infrastructure · Credibility 73/100 · June 10, 2020

Advantech WebAccess Node buffer overflow invites remote code execution

ICSA-20-161-01 warns that Advantech WebAccess Node 8.4.4 lets unauthenticated attackers send crafted packets that overflow the stack and run arbitrary code, forcing integrators to apply patch P0520844 and isolate HMI…

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Telecom Modernization Infrastructure Guide

  Modernise telecom infrastructure using 3GPP Release 18 roadmaps, O-RAN Alliance specifications, and ITU broadband benchmarks curated here.

• Infrastructure Resilience Guide

  Coordinate capacity planning, supply chain, and reliability operations using DOE grid programmes, Uptime Institute benchmarks, and NERC reliability mandates covered here.

• Edge Resilience Infrastructure Guide

  Engineer resilient edge estates using ETSI MEC standards, DOE grid assessments, and GSMA availability benchmarks documented here.

Coverage intelligence

Published

May 20, 2020

Coverage pillar

Infrastructure

Source credibility

73/100 — medium confidence

Topics

Rockwell Automation · EDS Subsystem · CVE-2020-12034

Sources cited

3 sources (cisa.gov, cvedetails.com, iso.org)

Reading time

5 min

Source material

1. ICSA-20-140-01: Rockwell Automation EDS Subsystem
2. CVE Details - Vulnerability Database — CVE Details
3. ISO/IEC 27017:2015 — Cloud Service Security Controls — International Organization for Standardization