PN1026 | RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation through Unquoted Service Path

Introduction

Description

Version 1.0 - June 07, 2018

An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Rockwell Automation® received a report from Gjoko Krstic of Zero Science Lab that certain versions of RSLinx® Classic and FactoryTalk® Linx™ Gateway (previously known as FactoryTalk Gateway) are potentially susceptible to this vulnerability. RSLinx Classic is two software solutions that allow Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI). FactoryTalk Linx Gateway is software that provides an OPC UA server interface to allow the delivery of information from Rockwell Software applications to Allen-Bradley controllers.

Rockwell Automation has provided a software update containing the remediation for this vulnerability. For previous versions of this software, a series of steps to mitigate this vulnerability have been provided. Further details about this vulnerability, as well as recommended countermeasures, are contained below.

AFFECTED PRODUCTS

RSLinx Classic, V3.90.01 and earlier
FactoryTalk Linx Gateway, V3.90.00 and earlier

VULNERABILITY DETAILS

Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged local user to execute arbitrary code of the threat actor’s choosing on the affected workstation. This vulnerability could also potentially allow a threat actor to escalate user privileges on the affected workstation. A well-defined service path enables Windows to easily find the path to a service by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and the threat actor could drop a malicious executable once an unquoted service path is discovered.

CVE-2018-10619 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected versions of RSLinx Classic, FactoryTalk Linx and/or FactoryTalk Gateway OPC are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

1. If unable to upgrade to the latest version visit Knowledgebase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and describes the process of implementing these edits.
2. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
3. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
4. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

GENERAL SECURITY GUIDELINES

1. Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
2. Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
4. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
5. Locate control system networks and devices behind firewalls, and isolate them from the business network.
6. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
7. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• 546987 - Rockwell Automation Customer Hardening Guidelines
• ICS-CERT Advisory: Rockwell Automation Classic and FactoryTalk Linx Gateway

REVISION HISTORY

KCS Status