Introduction
Description
February 15, 2012 - version 1.0
Update to January 31, 2012 - version 1.0
On January 17, 2012, Rockwell Automation was made aware of two security vulnerabilities in the FactoryTalk™ Diagnostics Receiver Service (RNADiagReceiver.exe) that if successfully exploited, may result in a Denial of Service condition.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Allen-Bradley products are affected by these vulnerabilities:
- RSLogix 5000 (versions 17, 18, 19, 20)
- FactoryTalk Directory
- FactoryTalk Alarms & Events
- FactoryTalk View SE
- FactoryTalk Diagnostics
- FactoryTalk Live Data
- FactoryTalk Server Health
VULNERABILITY DETAILS
A successful attack occurs when the RNADiagReceiver.exe service receives a datagram on UDP port 4445 that exceeds 2000 bytes, or the service receives a specifically crafted datagram of a valid size. A successful attack to the service will result in two respective conditions:
1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
2. Crash condition that disrupts further execution of the RNADiagReceiver.exe diagnostic service.
The disruption or failure of the service leads to the potential for disruption to the operation of any software that depends on the RNADiagReceiver.exe service. The vulnerability can be exploited remotely from a network-based attack; however, the Security Taskforce has determined that there is no known possibility of malicious code injection and no known escalation of privilege on the host machine that results from successful exploitation.
ADDRESSING THE RISK
Rockwell Automation has released a specific software patch to address this vulnerability in software products that incorporate the RNADiagReceiver.exe service:
http://rockwellautomation.custhelp.com/app/answers/detail/a_id/471091
ADDITIONAL RISK MITIGATION
In addition to applying the above patch, Rockwell Automation recommends concerned customers configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:
• 1330
• 1331
• 1332
• 4241
• 4242
• 4445
• 4446
• 6543
• 9111
• 60093
• 49281
We also recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
Concerned customers should continue to monitor Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to security in Rockwell Automation products and systems.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
