← Back to all briefings

Infrastructure · Credibility 40/100 · · 4 min read

Infrastructure Briefing — Rockwell EDS subsystem flaws threaten OT configuration workflows

CISA’s ICSA-20-140-01 advisory shows how crafted Electronic Data Sheet files can crash or manipulate Rockwell Automation’s EDS Subsystem, forcing OT teams to tighten engineering workstation controls and validate vendor patches across every affected device profile.

Executive briefing: Rockwell Automation’s EDS Subsystem parses the device descriptions that every ControlLogix, GuardLogix, or FactoryTalk asset uses to register in an OT engineering workstation. CISA confirms Claroty researchers found memory corruption and SQL injection paths (CVE-2020-12038, CVE-2020-12034) in that parser. A single malicious EDS file could crash the EDS Parser COM object, tamper with the local database, or write arbitrary files on the programming laptop—jeopardizing downstream PLC downloads.

Engineering actions for May 2020

  • Prioritize Rockwell patches. Apply the vendor’s patched EDS subsystem (v29 and above) to every Studio 5000 or RSLogix deployment before onboarding contractors or vendors that supply new device profiles.
  • Restrict who can import EDS content. Lock down EDS import permissions to trusted engineers, require code signing validation, and store approved EDS catalogs on an allow-listed SMB share.
  • Stage clean baselines. Capture gold images of engineering workstations with the patched EDS subsystem so you can quickly reimage laptops if a malicious file poisons the database.

Safeguard OT workstations

  • Segment tooling networks. Keep the workstations that host the EDS subsystem on a management VLAN with limited outbound internet access to reduce exposure to rogue EDS downloads.
  • Monitor for parser crashes. Set up event log alerting for repeated EDSParser COM failures so SOC teams can triage whether a malformed file is being used to trigger denial-of-service attacks.
  • Harden database access. Because the EDS subsystem stores catalog data locally, enforce EDR coverage, disable unnecessary SQL services, and back up the database before each import cycle.

Source excerpts

Primary — operational impact: “Successful exploitation of these vulnerabilities could lead to a denial-of-service condition.”

CISA — ICSA-20-140-01

Primary — attack mechanics: “The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries… This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system.”

CISA — ICSA-20-140-01
  • Rockwell Automation
  • EDS Subsystem
  • CVE-2020-12034
Back to curated briefings