Rockwell RSLogix Overflow Vulnerability (Update A)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This updated advisory is a follow-up to the Alert titled “ICS-ALERT-11-256-05A—Rockwell RSLogix Overflow Vulnerability” that was published September 13, 2011, on the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) web page.
ICS-CERT is aware of a public report of an overflow vulnerability in Rockwell Automation’s RSLogix application that could lead to a denial-of-service condition.
--------- Begin Update A Part 1 of 2 --------
Rockwell has produced a patch that mitigates this vulnerability for all affected versions of FactoryTalk Services Platform and RSLogix 5000.
--------- End Update A Part 1 of 2 ----------
According to Rockwell Automation, the following products are affected:
- RSLogix 5000 software Versions V17, V18, and V19
- All FactoryTalk-branded software of specific Versions CPR9 and CPR9-SR1 through SR4.
Successful exploitation of this vulnerability could result in a denial-of-service.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.
RSLogix 5000 is a programming suite used to develop interfaces within the control system environment.
The FactoryTalk Services Platform is a collection of production and performance management systems.
A Read Access violation can occur when a specially crafted packet is sent to open ports running the
software. The open TCP ports are as follows:
CVE-2011-3489 has been assigned to this vulnerability in the National Vulnerability Database (NVD).1 A CVSS base score of 5.0 has been assigned.
This vulnerability is remotely exploitable.
Existence of Exploit
Public exploits are known to target this vulnerability.
An attacker with a low skill level can create the denial-of-service.
--------- Begin Update A Part 2 of 2 --------
Rockwell Automation recommends that concerned customers using FactoryTalk Services Platform Versions CPR9 and CPR9-SR1 through SR4 and customers using RSLogix versions V17, V18, and V19 apply patch AID 458689.
Customers using FactoryTalk Services Platform CPR7 and earlier, and RSLogix 5000 V16 and earlier, are not affected by this vulnerability.
For full patching instructions and additional information, refer to Rockwell Automation Security Advisory KB 456144.
--------- End Update A Part 2 of 2 ----------
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
- Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
- 1. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3489, website last accessed September 30, 2011.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.