PN1081 | Ability to gain root-user level access to PanelView 5510 Graphic Terminals

Introduction

Description

Version 1.1 - August 2, 2019

Version 1.0 - July 9, 2019

Several customers contacted Remote Support about an issue with their PanelView™ 5510 graphic terminals that, upon further investigation, could expose a potential vulnerability in the terminal. If successfully exploited, this vulnerability may allow a threat actor to gain access to the file system on the terminal.

PanelView 5510 terminals are operator interface devices that monitor and control devices that are attached to certain Rockwell Automation® Programmable Automation Controllers via EtherNet/IP™. These products are used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware in their product are encouraged to evaluate and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

PanelView 5510 Graphic Terminals

• All Versions manufactured before 2019/03/13 which have never been updated to V4.003, V5.002, or later.

VULNERABILITY DETAILS

A race condition exists in the boot process of the PanelView 5510 Graphic Display which in rare occasions results in a state that allows root-level access to the device’s file system. If VNC is enabled on the device, then a remote authenticated threat actor could leverage the vulnerability to gain root- level access to the device.

CVE-2019-10970 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using PanelView 5510 with manufacturing dates prior to 2019/03/13 are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update should disable the VNC server on the device. In addition, if possible, customers should remove peripherals such as keyboards and limit arbitrarily power cycling of the product. Additionally, customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines.

GENERAL SECURITY GUIDELINES

• Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• [ICS-CERT/NCCIC] ICSA-19-190-02 Rockwell Automation PanelView 5510

REVISION HISTORY

KCS Status