Rockwell Automation FactoryTalk and RSLinx Vulnerabilities (Update A)
OVERVIEW
--------- Begin Update A Part 1 of 4 --------
This updated advisory is a follow-up to the original advisory titled ICSA-13-095-02 Rockwell Automation FactoryTalk and RSLinx Vulnerabilities that was published April 5, 2013, on the ICS-CERT Web page.
--------- End Update A Part 1 of 4 ----------
Researcher Carsten Eiram of Risk Based Security has identified multiple input validation vulnerabilities in Rockwell Automation’s FactoryTalk Services Platform (RNADiagnostics.dll) and RSLinx Enterprise Software (LogReceiver.exe and Logger.dll). Rockwell Automation has produced patches that mitigate these vulnerabilities, and released the patches April 5, 2013. Rockwell Automation has tested the patches to validate that they resolve the vulnerabilities.
--------- Begin Update A Part 2 of 4 --------
Carsten Eiram discovered additional vulnerabilities after the patches were released in April, and Rockwell released new patches that mitigate the additional vulnerabilities on June 28, 2013.
--------- End Update A Part 2 of 4 ----------
These vulnerabilities could be exploited remotely.
AFFECTED PRODUCTS
The following FactoryTalk Services Platform and RSLinx Enterprise product versions are affected:
- CPR9,
- CPR9-SR1,
- CPR9-SR2,
- CPR9-SR3,
- CPR9-SR4,
- CPR9-SR5,
- CPR9-SR5.1, and
- CPR9-SR6.
IMPACT
Successful exploitation of these vulnerabilities may result in a DoS condition to the services, service termination, and the potential for code injection.
Impact to individual organizations depends on many factors that are unique to each organization. ICS‑CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
BACKGROUND
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.
FactoryTalk Services Platform (FTSP) shares data throughout a distributed system and enforces redundancy and fault tolerance while tracking changes in the system.
RSLinx Enterprise is used for design and configuration, which provides plant-floor device connectivity for multiple Rockwell software applications. This software also has open interfaces for third-party human-machine interfaces (HMIs), data collection and analysis packages, as well as custom client-applications.
According to Rockwell Automation, both products are deployed across several sectors including agriculture and food, water, chemical, manufacturing, and others. The Rockwell product Web site states that these products are used in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.
VULNERABILITY CHARACTERIZATION
VULNERABILITY OVERVIEW
INTEGER OVERFLOW–NEGATIVE INTEGERCWE-190: Integer Overflow or Wraparound, http://cwe.mitre.org/data/definitions/190.html, Web site last accessed April 05, 2013.
The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the RNADiagnostics.dll or RNADiagReceiver.exe service to terminate.
CVE-2012-4713NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4713 , NIST uses this advisory to create the CVE Web site report. Web site last accessed October 07, 2013. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
INTEGER OVERFLOW–OVERSIZED INTEGERa
The FactoryTalk Services Platform (RNADiagnostics.dll) does not handle input correctly and cannot allocate an over-sized integer. By sending an over-sized integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the service to terminate.
CVE-2012-4714NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4714 , NIST uses this advisory to create the CVE Web site report. Web site last accessed October 07, 2013. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
--------- Begin Update A Part 3 of 4 --------
IMPROPER EXCEPTION HANDLINGCWE-703: Improper Check or Handling of Exceptional Conditions, http://cwe.mitre.org/data/definitions/703.html, Web site last accessed April 05, 2013.
The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does not handle input correctly and results in a logic error if it receives a zero or large byte datagram. If an attacker sends a datagram of zero byte size to the receiver over Port 4444/UDP (user-configurable, not enabled by default), the attacker would cause a DoS condition where the service silently ignores further incoming requests.
After discussion with the researcher and vendor, this vulnerability was a duplicate of CVE-2012-4715, and therefore the two vulnerabilities have been combined. CVE-2012-4715 will be retracted from the NVD Web site.
CVE-2012-4695NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4695, NIST uses this advisory to create the CVE Web site report. Web site last accessed October 07, 2013. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
--------- End Update A Part 3 of 4 ----------
--------- Begin Update A Part 4 of 4 --------
OUT-OF-BOUNDS READCWE-125: Out-of-bounds Read, http://cwe.mitre.org/data/definitions/125.html, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it receives a datagram with an incorrect value in the “Record Data Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to an oversized value, an attacker could cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot.
CVE-2013-2805NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2805 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
INTEGER OVERFLOWCWE-190: Integer Overflow or Wraparound, http://cwe.mitre.org/data/definitions/190.html, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the “Total Record Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size” that will cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot.
CVE-2013-2807NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2807 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
INTEGER OVERFLOWCWE-190: Integer Overflow or Wraparound, http://cwe.mitre.org/data/definitions/190.html, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the “End of Current Record” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size.” Then the service will calculate an incorrect value for the “End of Current Record” field causing access violations that lead to a service crash. The service can be recovered with a manual reboot.
CVE-2013-2806NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2806 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
--------- End Update A Part 4 of 4 ----------
VULNERABILITY DETAILS
EXPLOITABILITY
These vulnerabilities could be exploited remotely.
EXISTENCE OF EXPLOIT
No known public exploits specifically target these vulnerabilities.
DIFFICULTY
An attacker with a low skill would be able to exploit these vulnerabilities.
MITIGATION
Rockwell Automation’s recommendation to asset owners using FTSP or RSLinx CPR9 through CPR9-SR4 is to upgrade to CPR9-SR5 or newer. Rockwell Automation also recommends that all asset owners using FTSP or RSLinx CPR9-SR5 and newer should apply the correlating patch for the version they are using.
The patches and details pertaining to these vulnerabilities can be found at the following Rockwell Automation Security Advisory link (login is required):
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599
In addition, asset owners can find security information for other Rockwell Automation products at the Security Advisory Index page link below (login is required):
https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102
ICS‑CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS‑CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Mitigation Strategies, which is available for download from the ICS-CERT Web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS‑CERT for tracking and correlation against other incidents.
This product is provided subject to this Notification and this Privacy & Use policy.