PN958 | FactoryTalk Activation Unquoted Service Path Privilege Escalation

Introduction

Description

Version 1.2 - August 24, 2017
Version 1.1 - March 21, 2017
Version 1.0 - February 16, 2017

Update: March 21, 2017
A complete list of the software products that distribute versions of FactoryTalk® Activation Manager has been identified and listed under the affected products below. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet.

In those instances where customers using one of the listed software products are unable to update to the latest version of FactoryTalk Activation, please refer to the KnowledgeBase Article ID 939382 to verify and patch any unquoted service paths in a specific system.

An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Certain versions of FactoryTalk® Activation Manager are susceptible to this vulnerability. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet. This vulnerability can be exploited to link to, or run, a malicious executable of the attacker’s choosing.

Rockwell Automation has provided a software update containing the remediation for this vulnerability. Rockwell Automation has also provided a series of steps to allow customers to mitigate this vulnerability in previously downloaded versions. Further details about this vulnerability, as well as recommended countermeasures, are contained below.

AFFECTED PRODUCTS
FactoryTalk Activation Service v4.00.02 and earlier

Update: March 21, 2017
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. All versions prior to, and including, v4.00.02 of the FactoryTalk Activation Service are affected. In other words, customers who recognize products from the following list are using FactoryTalk Activation Manager, and they may consult the Risk Mitigation section of this advisory for information on how to verify that their systems are affected and how to manually address this vulnerability.

• Arena®
• Emonitor®
• FactoryTalk® AssetCentre
• FactoryTalk® Batch
• FactoryTalk® EnergyMetrix™
• FactoryTalk® eProcedure®
• FactoryTalk® Gateway
• FactoryTalk® Historian Site Edition (SE)
• FactoryTalk® Historian Classic
• FactoryTalk® Information Server
• FactoryTalk® Metrics
• FactoryTalk® Transaction Manager
• FactoryTalk® VantagePoint®
• FactoryTalk® View Machine Edition (ME)
• FactoryTalk® View Site Edition (SE)
• FactoryTalk® ViewPoint
• RSFieldBus™
• RSLinx® Classic
• RSLogix 500®
• RSLogix 5000®
• RSLogix™ 5
• RSLogix™ Emulate 5000
• RSNetWorx™
• RSView®32
• SoftLogix™ 5800
• Studio 5000 Architect®
• Studio 5000 Logix Designer®
• Studio 5000 View Designer®
• Studio 5000® Logix Emulate™

VULNERABILITY DETAILS

Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged, local user to execute arbitrary code with elevated privileges on the system. A well-defined service path enables Windows to easily find the path to a service; this is accomplished by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and an attacker could drop a malicious executable if the service path is discovered.

This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path. When the Windows Service Manager starts the service, it will attempt to launch the implanted executable rather than the intended and authentic executable.

A CVSS v3 base score of 8.8 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.

Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation. To download v4.01 or later, go to this link for PCDC (Product Compatibility & Download Center) and select "Select Files" icon for all Free Downloads. Select latest FactoryTalk Activation from the list of downloads.

Update: August 24, 2017
Customers can consult the Product Compatibility and Download Center Standard Views>Software Latest Versions>FactoryTalk Activation for details about the latest FactoryTalk Activation Manager.

Note: When centralizing FactoryTalk Activation Manager (FTAM) to a single server host, it is important to ensure that the centralized Activation server is running a version of FactoryTalk Activation Manager equal to, or greater than, the latest version of client FTAM on your network. It is important to update the central activation servers before client activation servers. For details visit Knowledgebase Article 612825 Managing Remote FactoryTalk Activation Manager Servers.

If unable to upgrade to the latest version visit KnowledgeBase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and walks through the process of doing such edits.

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.

1. Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
2. Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
4. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
5. Locate control system networks and devices behind firewalls, and isolate them from the business network.
6. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
7. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

Product Security Vulnerability FAQ

REVISION HISTORY

KCS Status