Introduction
Description
Version 1.0 – February 24th 2016
A vulnerability has been discovered by Ivan Javier Sanchez of Nullcode Team in the Integrated Architecture Builder (IAB) tool. This tool is used by our customers to configure their Logix-based automation systems, select hardware, and generate bills of material for applications including controllers, I/O, networks, drives, cabling & wiring, motion control, and other devices.
The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the IAB tool. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. At this time there is no known publicly available exploit code.
Rockwell Automation has verified the validity of Mr. Sanchez’s discoveries and a new software release has been issued for Integrated Architecture Builder which addresses the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- Integrated Architecture Builder, Versions 9.6.0.7 and earlier
- Integrated Architecture Builder, Versions 9.7.0.0 and 9.7.0.1
VULNERABILITY DETAILS
IAB has a capability to open an existing project file containing a control system hardware definition so that the user can create a validated bill of material. The discovered vulnerability is within the IAB.exe code that parses this project file content. In certain cases where a uniquely crafted or altered file is used, the IAB.exe parser code execution can allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.
Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace project files with specifically created or modified project files that have been constructed to use this condition to successfully execute malicious code.
Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
CVE-2016-2277 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
CUSTOMER RISK MITIGATIONS AND REMEDIATION
Customers using affected versions of the Integrated Architecture Builder are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Do not open untrusted project files with IAB.exe.
- Upgrade Integrated Architecture Builder V9.6.0.7 and earlier to either V9.7.0.2+ or V9.6.0.8+ (available now) using Current Program Updater. Current Program Updater is a program that is installed on your computer when you install Integrated Architecture Builder. The User Guide to Current Program Updater is built into the application should you need additional information.Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
