PN869 | RSView32 Weak Encryption Algorithm on Passwords

Introduction

Description

April 30, 2015 - Version 1.0

A vulnerability has been discovered by Vladimir Dashchenko and Dmitry Dementjev, Information Security Analysts at Ural Security System Center (USSC), in the encryption approach used by specific versions of RSView32 software to protect the contents of a file containing user-defined passwords. The passwords stored within the file are used to authenticate users in order to grant access to the software and user-created content.

Rockwell Automation has verified the validity of Mr. Dashchenko and Dementjev’s discovery and a software patch has been release for RSView32 that enhances the security of the mechanism used to create, manage and make-use of user-defined passwords by the software. Customers who continue to use affected versions of the software are encouraged at a minimum to apply this patch, or migrate to more contemporary Rockwell Automation solutions. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

A vulnerability has been discovered in the encryption approach used by RSView32 to create a password storage file used with the software.

User-defined usernames and passwords for RSView32 are stored within the users.act file. The associated weakness in the file is a result of the software using a weak and outdated encryption algorithm. The technology weakened password complexity prior to encrypting the password. In addition, the algorithm’s strength has decreased over time as compared to more contemporary encryption technologies. Content encrypted with this older algorithm, such as the users.act file, may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can be learned.

For such exposure, an attacker must first gain access to the specific password storage file, or to a copy of the file that is stored local to the RSView32 product. In order to gain such access, the security of the local machine would need to be compromised in some way to allow local or remote access, or some form of successful social-engineering would be needed to convince a victim to grant access to, or supply the particular file to a malicious third party. To make use of the passwords to access user-defined RSView32 protected content, an attacker would similarly need to reverse-engineer the decryption algorithm to learn the plain text, before being able to authenticate and gain access to that protected content.

At this time there is no known publicly available exploit code.

CUSTOMER RISK MITIGATION AND REMEDIATION

A software patch has been released for RSView32 to mitigate risk associated with the discovered vulnerability. Customers using affected versions of the RSView32 are encouraged to apply this patch and take added precautions as outlined herein.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

1. Apply the following patch if using an affected software version:
   
   

   Software	Catalog Number	Affected Software		Recommendation
   RSView32	9301-2SEx	All software versions prior to, not including RSView32 - 7.60.00 (CPR9 SR4)	>>>	Apply reference software patch: RSView32 - 7.60.6.11 https://rockwellautomation.custhelp.com /app/answers/detail/a_id/635640

2. Limit access to assets with RSView32 and other software only to authorized personnel.
3. Restrict network access to assets with RSView32 and other software as appropriate.
4. Use trusted software and software patches that are obtained only from highly reputable sources.
5. Interact with, and only obtain software and software patches from trustworthy websites.
6. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
7. Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
8. Maintain layered physical and logical security, defense in depth design practices for the ICS.
9. Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
10. Upgrade the affected product to a more contemporary, in-support product and compatible operating system; Establish a patch management and product upgrade strategy too*

*ONGOING RISKS AND PRODUCT MIGRATION
The RSView32 product has inherent technical limitations that are likely to make subsequent security patches more difficult, if not altogether infeasible in the future. Furthermore, RSView32 is not compatible with certain contemporary versions of the Microsoft Windows® operating system. While this particular product patch helps to mitigate a very specific security risk, it has no positive effect on other known and unknown vulnerabilities in the Windows OS on which the product is installed and operates. In addition, some Windows versions (with which the product still operates) are no longer in support by the manufacturer, yet they are known to be highly susceptible to a variety of significant, unpatchable security risks.

We recommend customers consider upgrading their software and compatible operating systems to more contemporary versions everywhere possible. In parallel, customers should adopt measures to keep products current and patched.

For those customers who choose to continue using RSView32, we strongly recommend they upgrade the operating system on which the product runs to a compatible version that is as current as possible and is still in support by the manufacturer. When this compatibility can no longer be assured, or the operating system support expires, Rockwell Automation stands ready to help our customers migrate to contemporary solutions as we also help protect and leverage their previous investments.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status