Severity:
Critical,
High,
Medium
Advisory ID:
PN1536
Published Date:
November 24, 2020
Last Updated:
November 24, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2020-27251,
CVE-2020-27255,
CVE-2020-27253
Summary
FactoryTalk® Linx® Affected by Multiple Denial-of-Service and Heap Overflow Vulnerabilities
Revision History
Revision Number
1.0
Revision History
Version 1.0 - November 24, 2020. Initial Release.
Executive Summary
Rockwell Automation PSIRT received a report from Claroty, an industrial security product vendor and research company, regarding three vulnerabilities in FactoryTalk® Linx software. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, controlling of the execution flow or information disclosure. If the vulnerabilities are chained together, it may be possible to achieve remote code execution.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to Claroty for discovering this vulnerability.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Special thanks to Claroty for discovering this vulnerability.
Affected Products
FactoryTalk Linx v6.11 and earlier.
Vulnerability Details
CVE-2020-27251: Remote Code Execution due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).
CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.
CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.
CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).
CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Risk Mitigation & User Action
Customers using the affected FactoryTalk Linx are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details | Recommended User Actions |
CVE-2020-27253 CVE-2020-27251 CVE-2020-27255 | For FactoryTalk Linx v6.10 and v6.11 see Patch Answer ID BF25509 Additionally, the user could move to v6.20 which is available on the PCDC |
General Security Guidelines
Software/PC-based Mitigation Strategies
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID QA17329.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.