U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-11-175-01)

Rockwell FactoryTalk Diag Viewer Memory Corruption

Original release date: June 24, 2011 | Last revised: April 26, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



Overview

Independent security researchers Billy Rios and Terry McCorkle have coordinated with ICS-CERT on a memory corruption vulnerability that affects Rockwell’s Automation FactoryTalk Diagnostics Viewer product.
By using a specially crafted FactoryTalk Diagnostics Viewer configuration file, an attacker could possibly cause a memory corruption that allows the execution of arbitrary code.

According to Rockwell Automation, this issue has been resolved in later versions of the FactoryTalk Diagnostics Viewer, starting with V2.30.00 (CPR9 SR3). ICS-CERT has not validated this update.

Affected Products

According to Rockwell Automation, these vulnerabilities affect Versions 2.10.x (SPR9 SR2) and earlier.

Impact

A successful exploitation of this vulnerability could result in the execution of arbitrary code.

The exact impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.

Background

Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.

The FactoryTalk Diagnostics Viewer is part of the FactoryTalk Services Platform and collects, stores, and provides access to activity, status, warning, and error messages generated by products during installation, configuration, and operation.

Vulnerability Characterization

Vulnerability Overview

The memory corruption vulnerability could allow an attacker to execute arbitrary code using a specially crafted FactoryTalk Diagnostics Viewer configuration file (.ftd extension).

Vulnerability Details

Exploitability

This vulnerability is not remotely exploitable. The exploit can only be triggered when the specially crafted file is executed locally by a vulnerable version of FactoryTalk Diagnostics Viewer.

Existence of Exploit

No known exploits specifically target this vulnerability.

Difficulty

Crafting a working exploit for this vulnerability requires moderate skill. Social engineering is required to convince the user to accept the malformed file, decreasing the likelihood of a successful exploit.

Mitigation

Rockwell Automation recommends that concerned customers upgrade the FactoryTalk Diagnostics Viewer to the latest version. Because FactoryTalk Diagnostics Viewer is not available as a standalone installation, customers must upgrade the FactoryTalk Services Platform product to FactoryTalk Diagnostics Viewer (CPR9 SR3) or greater.

Rockwell Automation also recommends its customers review the Rockwell Automation Software Product Compatibility Matrix to ensure they understand the dependencies and compatibilities that may arise as a result of upgrading this product.

For more information, refer to Rockwell Automation Security Advisory KB#448424.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top