|2017-03-21||Other||Rockwell Automation||Ivan Sanchez reported this vulnerability.
# Rockwell Automation Connected Components Workbench
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
Connected Components Workbench
Ivan Sanchez reported this vulnerability.
### AFFECTED PRODUCTS
The following Connected Components Workbench (CCW), a software configuration platform, versions are affected:
Connected Components Workbench – Developer Edition, v9.01.00 and earlier.
Connected Components Workbench – Free Standard Edition (All Supported Languages), v9.01.00 and earlier.
Successful exploitation of this vulnerability could range from a denial of service (DoS) to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.
### VULNERABILITY OVERVIEW
DLL HIJACKING CWE-427
Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim’s affected personal computer.
Such access rights can be at the same or potentially higher level of privileges as the compromised user account, including and up to computer administrator privileges.
CVE-2017-5176 has been assigned to this vulnerability.
A CVSS v3 base score of 7.0 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Critical Infrastructure Sectors: Commercial Facilities, Defense Industrial Base, Energy, and Government Facilities
Countries/Areas Deployed: Globally
Company Headquarters Location: Milwaukee, Wisconsin
Rockwell Automation has released a new version of Connected Components Workbench, Version 10.00 and Version 10.01 (All supported languages) which addresses the identified vulnerability.
Rockwell Automation recommends updating to the latest version of Connected Components Workbench, Version 10.00 or later, which is available at the following location:
For more information on this vulnerability and more detailed mitigation instructions, please see Rockwell Automation advisory labeled Connected Components Workbench Software Dynamic Link Library (DLL) Hijack Version 1.0, February 16, 2017, at the following location: