Introduction
Description
April 20, 2015 - version 1.0
A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in a non-critical software component distributed with certain versions of the RSLinx Classic product. The included executable, OpcTest.exe, is a test client for RSLinx’s support of the OPC-DA protocol. The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the test client to open an untrusted, specifically modified CSV file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as OpcTest.exe. At this time there is no known publicly available exploit code.
Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and a new software release has been issued for RSLinx Classic that includes a new version of OPCTest.exe to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
The following software has been confirmed to be susceptible to the reported vulnerability:
| Software Name | Version |
| RSLinx Classic | All versions prior to, not including 3.73.00 |
VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS
OpcTest.exe has a capability to import a comma-separated values (CSV) file, containing lists of tags and groups, so that the software user can easily subscribe to these items from the RSLinx Classic software. The discovered vulnerability is within the OpcTest.exe code that parses this CSV content. In certain cases where a uniquely crafted or altered file is used, the OpcTest.exe parser code execution can encounter a buffer overflow, which has potential to modify the stack and allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.
Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace CSV files with specifically created or modified CSV files that have been constructed to use this buffer overflow condition to successfully execute malicious code.
Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
CUSTOMER RISK MITIGATION AND REMEDIATION
Customers using affected versions of the RSLinx Classic are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Do not open untrusted CSV files with OPCtest.exe
- Upgrade affected products as follows:
Software Catalog Number Affected Software Recommendation RSLinx Classic 9355-WABSNENE; 9355-WABOEMENE; 9355-WABGWENE All software versions prior to 3.72.00.01 >>> Upgrade to 3.73.00 or higher (available now)
- Limit access to those assets with RSLinx Classic and other software to authorized personnel.
- Run all software as User, not as an Administrator.
- Restrict network access to assets with RSLinx Classic and other software as appropriate.
- Use trusted software and software patches that are obtained only from highly reputable sources.
- Interact with, and only obtain software and software patches from trustworthy websites.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
- Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
- Maintain layered physical and logical security, defense in depth design practices for the ICS.
- Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
