PN1498 | Current Program Updater Vulnerable to Privilege Escalation

Executive Summary

Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, regarding a file permission vulnerability affecting several Dynamic Link Library (DLL) files added during installation of the Current Program Updater software. If successfully exploited, this vulnerability may allow a local attacker to escalate privileges on the targeted PC to gain system administrative control.

Current Program Updater is installed with the Product Selection Toolbox™ suite along with other toolkits. For a full list, please see the affected products below.

Affected Products

Current Program Updater v1.1.0.7 and earlier.

The following tools use the affected version of Current Program Updater:

• Batch Accelerator Toolkit v1.0.0.0
• CENTERLINE® 2500 Global Production v1.0.4.0 and earlier
• CENTERLINE Builder v3.19.0829.02
• Computer Numerical Control (CNC) Accelerator Toolkit v0.0.0.0
• Connected Components Accelerator Tool Kit v1.1.0.0 to v3.4.0.0
• Connected Components Workbench™ software (CCW) v11 and earlier
• Drives & Motions Accelerator Toolkit v1.0.0.0
• Energy Management Accelerator Toolkit v3.0.0.0 and earlier
• PowerOne v1.51.55 and earlier
• Product Selection Toolbox Suite:
  • CrossWorks™ v4.3.0.11 and earlier
  • Integrated Architecture® Builder v9.7.9.1 and earlier
  • MCSStar v5.1.0.7
  • ProposalWorks™ v10.0.7185.14602 and earlier
  • Product Selection Toolbox Installer v.18.09.x and earlier
  • Prosafe® Builder v1.1.0.0 and earlier
  • Safety Automation Builder® v3.1.0.2 and earlier
  • User-Defined Devices v1.6.0.12 and earlier
• Safety Accelerator Toolkit v6.0.0.0 and earlier
• Water Wastewater Accelerator Toolkit v3 and earlier

Vulnerability Details

CVE-2017-5176: File Permission Vulnerability Leading to Privilege Escalation
A local, authenticated attacker could write to several directories containing Dynamic Load Library (DLL) files that execute with system level privilege. These DLL files inherit the properties of these directories, meaning DLL files that run at the system level can be written to by a normal user and lead to an escalation of privileges. Certain registry keys were also found to be writeable to normal users.

A CVSS v3 base score of 7.0/High has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers currently using any of the affected tools are encouraged to take the following actions:

1. Existing customers using affected versions of the tools should update to the newest version of the tools. Existing users can do this by running an update in Current Program Updater. New users can do this by accepting and running the Current Program Updater update offered immediately during installation. After the tool runs, it will apply the most recent version of Current Program Updater as well as the most recent version of the tools currently installed. Fixed versions of toolkits will no longer allow the toolkits to make changes to the access controls of files and registry keys.
   
2. Work with your IT administrators to ensure that the following files and registry keys have the correct access control permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed.

1. If a toolkit has been installed to a custom directory, customers are encouraged to identify what other directories may have had the access level privileges modified by the toolkits and work with their IT administrator to ensure the directories have the correct level of permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed. To identify these directories, customers can review the list at the following registry key:
   
   HKEY_CLASSES_ROOTRAISEInstalled Components

The following toolkits are considered End of Life (EOL):

General Security Guidelines

• Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
• Use of Microsoft^® AppLockeror other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• https://www.us-cert.gov/ics/advisories/ICSA-17-047-01