PN1037 | RSLinx Classic Heap and Buffer Overflow Vulnerabilities

Introduction

Description

Version 1.0 - September 20, 2018

Rockwell Automation received reports regarding potential vulnerabilities in certain versions of RSLinx® Classic that, if successfully exploited, can cause memory corruption issues which may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine. One of these reports was received from Tenable, a cybersecurity software vendor. RSLinx® Classic is a software solution that allows Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a human machine interface (HMI).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

RSLinx Classic, v4.00.01 and earlier

VULNERABILITY DETAILS

Rockwell Automation received these reports from Tenable, a cybersecurity software vendor, and ICS-CERT, . The report from Tenable contained details regarding Vulnerability #1 and Vulnerability #2. The report from ICS-CERT contained details regarding Vulnerability #3.

Vulnerability #1: Stack Overflow

This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.

CVE-2018-14829 has been assigned to his vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #2: Heap Overflow

This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.

CVE-2018-14821 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Vulnerability #3: Denial of Service

A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.

CVE-2018-14827 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update their software with an available patch that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

1. Update products according to this table:

1. Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
   1. Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
   2. Note: In the next release of RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.
   3. Note: Applying the patch will not change the state of the "Accept UDP Messages on Ethernet Port" setting.

GENERAL SECURITY GUIDELINES

• Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP traffic from unauthorized sources are blocked.
• Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
• Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• [ICS-CERT/NCCIC] ISA-18-263-02 Rockwell Automation RSLinx Classic

REVISION HISTORY

KCS Status