Severity:
High,
Medium
Advisory ID:
PN1540
Published Date:
January 22, 2021
Last Updated:
January 22, 2021
Revision Number:
2.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2020-5806,
CVE-2020-5801,
CVE-2020-5802,
CVE-2020-5807
Summary
FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities
Revision History
Revision Number
2.0
Revision History
Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.
Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.
Version 1.0 - December 27, 2020. Initial Version.
Executive Summary
Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.
Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
| Vulnerability | Affected Products |
| CVE-2020-5801 | FactoryTalk Linx version 6.20 and earlier. |
| CVE-2020-5802 | FactoryTalk Linx version 6.20 and earlier. |
| CVE-2020-5806 | FactoryTalk Linx versions 6.10, 6.11, and 6.20. |
| CVE-2020-5807 | FactoryTalk Services Platform version 6.20 and earlier. |
Vulnerability Details
CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.
CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.
CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.
CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.
CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.
CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Risk Mitigation & User Action
Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
Version 3.0: Correction
Version 3.0: Correction
| Vulnerability | Suggested Actions |
| CVE-2020-5801 CVE-2020-5802 | Version 2.0: Apply patch found in BF26285. Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 . |
| CVE-2020-5806 | Version 3.0: Apply patch found in BF26287 |
| CVE-2020-5807 | For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157. |
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
- Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID BF7490.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use Microsoft® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Do not open untrusted .ftd files with FactoryTalk Services Platform.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.