U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Advisory (ICSA-13-095-02A)

Rockwell Automation FactoryTalk and RSLinx Vulnerabilities (Update A)

Original release date: October 07, 2013 | Last revised: December 17, 2013

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



OVERVIEW

--------- Begin Update A Part 1 of 4 --------

This updated advisory is a follow-up to the original advisory titled ICSA-13-095-02 Rockwell Automation FactoryTalk and RSLinx Vulnerabilities that was published April 5, 2013, on the ICS-CERT Web page.

--------- End Update A Part 1 of 4 ----------

Researcher Carsten Eiram of Risk Based Security has identified multiple input validation vulnerabilities in Rockwell Automation’s FactoryTalk Services Platform (RNADiagnostics.dll) and RSLinx Enterprise Software (LogReceiver.exe and Logger.dll). Rockwell Automation has produced patches that mitigate these vulnerabilities, and released the patches April 5, 2013. Rockwell Automation has tested the patches to validate that they resolve the vulnerabilities.

--------- Begin Update A Part 2 of 4 --------

Carsten Eiram discovered additional vulnerabilities after the patches were released in April, and Rockwell released new patches that mitigate the additional vulnerabilities on June 28, 2013.

--------- End Update A Part 2 of 4 ----------

These vulnerabilities could be exploited remotely.

AFFECTED PRODUCTS

The following FactoryTalk Services Platform and RSLinx Enterprise product versions are affected:

  • CPR9,
  • CPR9-SR1,
  • CPR9-SR2,
  • CPR9-SR3,
  • CPR9-SR4,
  • CPR9-SR5,
  • CPR9-SR5.1, and
  • CPR9-SR6.

IMPACT

Successful exploitation of these vulnerabilities may result in a DoS condition to the services, service termination, and the potential for code injection.

Impact to individual organizations depends on many factors that are unique to each organization. ICS‑CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. 

BACKGROUND

Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.

FactoryTalk Services Platform (FTSP) shares data throughout a distributed system and enforces redundancy and fault tolerance while tracking changes in the system.

RSLinx Enterprise is used for design and configuration, which provides plant-floor device connectivity for multiple Rockwell software applications. This software also has open interfaces for third-party human-machine interfaces (HMIs), data collection and analysis packages, as well as custom client-applications.

According to Rockwell Automation, both products are deployed across several sectors including agriculture and food, water, chemical, manufacturing, and others. The Rockwell product Web site states that these products are used in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

INTEGER OVERFLOW–NEGATIVE INTEGERa

The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the RNADiagnostics.dll or RNADiagReceiver.exe service to terminate.

CVE-2012-4713b has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).c

INTEGER OVERFLOW–OVERSIZED INTEGERa

The FactoryTalk Services Platform (RNADiagnostics.dll) does not handle input correctly and cannot allocate an over-sized integer. By sending an over-sized integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the service to terminate.

CVE-2012-4714d has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).e

--------- Begin Update A Part 3 of 4 --------

IMPROPER EXCEPTION HANDLINGf

The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does not handle input correctly and results in a logic error if it receives a zero or large byte datagram. If an attacker sends a datagram of zero byte size to the receiver over Port 4444/UDP (user-configurable, not enabled by default), the attacker would cause a DoS condition where the service silently ignores further incoming requests.

After discussion with the researcher and vendor, this vulnerability was a duplicate of CVE-2012-4715, and therefore the two vulnerabilities have been combined. CVE-2012-4715 will be retracted from the NVD Web site.

CVE-2012-4695g has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).h

--------- End Update A Part 3 of 4 ----------

--------- Begin Update A Part 4 of 4 --------

OUT-OF-BOUNDS READi

The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it receives a datagram with an incorrect value in the “Record Data Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to an oversized value, an attacker could cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot.

CVE-2013-2805j has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).k

INTEGER OVERFLOWl

The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the “Total Record Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size” that will cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot.

CVE-2013-2807m has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).n

INTEGER OVERFLOWo

The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the “End of Current Record” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size.” Then the service will calculate an incorrect value for the “End of Current Record” field causing access violations that lead to a service crash. The service can be recovered with a manual reboot.

CVE-2013-2806p has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).q

--------- End Update A Part 4 of 4 ----------

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

Rockwell Automation’s recommendation to asset owners using FTSP or RSLinx CPR9 through CPR9-SR4 is to upgrade to CPR9-SR5 or newer. Rockwell Automation also recommends that all asset owners using FTSP or RSLinx CPR9-SR5 and newer should apply the correlating patch for the version they are using.

The patches and details pertaining to these vulnerabilities can be found at the following Rockwell Automation Security Advisory link (login is required):

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599

In addition, asset owners can find security information for other Rockwell Automation products at the Security Advisory Index page link below (login is required):

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102

ICS‑CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS‑CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Mitigation Strategies, which is available for download from the ICS-CERT Web site (http://ics-cert.us-cert.gov/).

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS‑CERT for tracking and correlation against other incidents.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top