Introduction
Description
Version 1.0 - MAY 19, 2017
A vulnerability has been identified in select PanelView™ Plus 6 700-1500 (7" - 15" displays) graphic terminal products. The identified versions ship with an open test port that, if successfully exploited via Telnet, can allow a remote attacker to connect to a host device and cause changes as if the device were in a testing environment.
PanelView Plus 6 700-1500 (7" - 15" displays) graphic terminal products allow customers to monitor, control, and display the status of their application graphically within their system. These products are used across several industries, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the relevant mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
Any graphic terminals that are using OS 2.31 or greater are not affected by this vulnerability. The OS version can be found in the release notes for firmware.
Only firmware versions listed below are affected by this vulnerability. For information on how to identify the installed firmware version on your terminal, please see the following link: https://www.youtube.com/watch?v=nLPnBpMXqEs&t=9s
PanelView Plus 6 700-1500 (7" - 15" displays) Graphic Terminals and Logic Modules with the following firmware versions installed:
6.00.04
6.00.05
6.00.42
6.00-20140306
6.10.20121012
6.10-20140122
7.00-20121012
7.00-20130108
7.00-20130325
7.00-20130619
7.00-20140128
7.00-20140310
7.00-20140429
7.00-20140621
7.00-20140729
7.00-20141022
8.00-20140730
8.00-20141023
VULNERABILITY DETAILS
A remote, unauthenticated user could connect to a PanelView Plus 6 700-1500 (7" - 15" display) device by establishing a Telnet session with the panel. If a connection is made, the malicious user can get access to the test interface of the PanelView Plus 6 700-1500 (7" - 15" display) graphic terminal, allowing the attacker to potentially make disruptive changes and/or extract information from the device.
Rockwell Automation has evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using the affected terminals are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Type of Device | Product Family | Suggested Actions |
| Graphic Terminals and Logic Modules | PanelView Plus 6 700-1500 (7"-15") | -V7.00: Apply V7.00-20150209 -Alternatively, disable TestMon on your device. For more information, visit KnowledgeBase Article 1046760 |
GENERAL SECURITY GUIDELINES
1. Block all traffic to EtherNet/IP™ devices or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
2. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
3. Locate control system networks and devices behind firewalls, and isolate them from the rest of the business network.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices where they are used.
5. When downloading updates, make sure the site or source of the update can be trusted.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: mailto:Secure@ra.rockwell.com.
ADDITIONAL LINKS
54102 - Industrial Security Advisory Index
Industrial Firewalls within a CPwE Architecture
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
KCS Status
