Introduction
Description
April 5, 2013
Updated: June 28, 2013
Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based
Security (www.riskbasedsecurity.com) identified vulnerabilities that affect a software component of the
FactoryTalk™ Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise
software (LogReceiver.exe and Logger.dll). These vulnerabilities have been confirmed to be remotely
exploitable which can lead to termination of affected software services and Denial of Service conditions.
To date, Rockwell Automation is not aware of any known cases of successful exploitation of these
vulnerabilities in operational systems. Furthermore, we are not aware of publicly available proof of
concept exploit code.
Rockwell Automation worked directly with Mr. Eiram to verify his findings, determine root cause and
validate the resulting software patches being issued for the FactoryTalk Services Platform and RSLinx
Enterprise software. Given the company’s focus on continuous improvement, added steps are being taken to
further enhance the development and testing processes associated with these products. As a result,
additional product hardening enhancements have been included in the referenced software patches and will
continue to be deployed via forthcoming product releases.
AFFECTED PRODUCTS
- All FactoryTalk-branded software, including CPR9-SR0 through SR6
- All RSLinx Enterprise software, prior to and including CPR9 and CPR9-SR1 through SR6
VULNERABILITY DETAILS AND IMPACTS
FACTORYTALK SERVICES PLATFORM
(RNADiagnostics.dll)
The software components exhibit a vulnerability as a result of missing input validation and improper
exception handling with streaming data. A specially crafted packet sent to TCP port 5241 will result in
a crash of the RsvcHost.exe service. A successful attack will result in the following:
- Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
- Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe
diagnostic service.
The vulnerability can be exploited remotely from a network-based attack; however, no possibility of
malicious code injection or escalation of privilege on the host machine is known to result from
successful exploitation. There is also no indication that exploitation will directly disrupt operation
of a Rockwell Automation programmable controller, operator interface or other networked device connected
elsewhere in the local control system.
RSLINX ENTERPRISE SOFTWARE
(LogReceiver.exe and Logger.dll)
These software components exhibit a vulnerability as a result of a logic error in the service’s handling
of incoming requests on UDP port 4444 (user-configurable, but not enabled by default) of zero or large
byte datagrams. When successfully exploited, the vulnerability will cause the thread receiving data to
exit, resulting in the service silently ignoring further incoming requests. A successful attack will
result in two respective conditions:
- Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.
- Crash condition that disrupts further execution of the LogReceiver.exe
The vulnerability can be exploited remotely with the potential for code injection; however, no
possibility of escalation of privilege on the host machine is known to result from successful
exploitation. Although theoretical, a possibility of remote code execution has been identified. There
is also no indication that exploitation will directly disrupt operation of a Rockwell Automation
programmable controller, operator interface or other networked device connected elsewhere in the local
control system.
< Update Start>
As a result of additional analysis conducted by Risk Based Security, Inc. of the LogReceiver.exe service, additional enhancements have been made to the LogReceiver.exe to further increase resiliency of the service.
< Update End >
RISK MITIGATION
Software patches for affected FactoryTalk Services Platform and RSLogix Enterprise software are being
released to mitigate associated risk:
| Product Description | Affected Versions | Recommendations |
| FactoryTalk Services Platform (FTSP) | CPR9, CPR9-SR1, CPR9-SR2, | Upgrade to FTSP CPR9-SR5 or newer |
| CPR9-SR5 | Apply patch: AID#522048 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522048 | |
| CPR9-SR5.1 | Apply patch: AID#522049 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522049 | |
| CPR9-SR6 | Apply patch: AID#522052 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522052 |
| Product Description | Affected Versions | Recommendations |
| RSLinx Enterprise | CPR9, CPR9-SR1, CPR9-SR2, | Upgrade to RSLinx CPR9-SR5 or newer |
| CPR9-SR5 | Apply patch: AID# 544798 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/544798 Update: AID# 534705 has been replaced with AID: 544798 which includes additional security enhancements.
| |
| CPR9-SR5.1 | Apply patch: AID# 545535 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545535 Update: AID# 537302 has been replaced with AID: 545535 which includes additional security enhancements.
| |
| CPR9-SR6 | Apply patch: AID#545537 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545537 Update: AID# 535962 has been replaced with AID: 545537 which includes additional security enhancements.
|
Corrective actions have been taken to help ensure subsequent software versions of FactoryTalk Services
Platform, including FactoryTalk Diagnostics, and RSLinx Enterprise will remain free of this
vulnerability.
In addition to applying the above patches, to help further reduce the likelihood of compromise and the
associated security risk, Rockwell Automation recommends the following immediate mitigation strategies.
When possible, multiple strategies should be employed simultaneously:
- The RNADiagReceiver.exe service should only run on servers that will receive diagnostics from PanelView
Plus terminals. It is advisable to disable this service via Microsoft Windows Service Control Panel for
servers that do not require this service. - Configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of
the ICS system:
- 1330
- 1331
- 1332
- 4241
- 4242
- 4445
- 4446
- 5241
- 6543
- 9111
- 60093
- 49281
We also recommend concerned customers remain vigilant and continue to follow security strategies that
help reduce risk and enhance overall control system security. Where possible, we suggest you apply
multiple recommendations and complement this list with your own best-practices:
- Employ layered security and defense-in-depth methods in system design to restrict and control access to
individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for
comprehensive information about implementing validated architectures designed to deliver these measures. - Restrict physical and electronic access to automation products, networks and systems to only those
individuals authorized to be in contact with control system equipment and perform product firmware
upgrades to that equipment. - Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
Concerned customers are encouraged to continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information
relating to this matter.
For more information and for assistance with assessing the state of security of your existing control
system, including improving your system-level security when using Rockwell Automation and other vendor
controls products, you can visit the Rockwell Automation Security Solutions web site at
http://www.rockwellautomation.com/solutions/security
KCS Status
