Introduction
Description
Version 1.2 - July 20, 2018
Version 1.1 - May 29, 2018
Version 1.0 - April 12, 2018
Two vulnerabilities were discovered in components distributed with every installation of FactoryTalk® Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell software products. One vulnerability exists in certain versions of Wibu-Systems CodeMeter; the second vulnerability is in certain versions of Flexera Software FlexNet Publisher, both are license management software.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and include the applicable mitigations in their deployed products. Additional details relating to the vulnerability, including affected products and recommended countermeasures, are provided herein.
UPDATE: July 20, 2018
Cisco has released several Snort Rules to addressing the Flexera software vulnerability. See the Risk Mitigations and Recommended User Actions section for more details.
AFFECTED PRODUCTS
FactoryTalk Activation Manager v4.00.02 and v4.01
- Includes Wibu-Systems CodeMeter v6.50b and earlier
FactoryTalk Activation Manager v4.00.02 and earlier
- Includes FlexNet Publisher v11.11.1.1 and earlier
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who recognize products from the following list are using FactoryTalk Activation Manager.
- Arena®
- Emonitor®
- FactoryTalk® AssetCentre
- FactoryTalk® Batch
- FactoryTalk® EnergyMetrix™
- FactoryTalk® eProcedure®
- FactoryTalk® Gateway
- FactoryTalk® Historian Site Edition (SE)
- FactoryTalk® Historian Classic
- FactoryTalk® Information Server
- FactoryTalk® Metrics
- FactoryTalk® Transaction Manager
- FactoryTalk® VantagePoint®
- FactoryTalk® View Machine Edition (ME)
- FactoryTalk® View Site Edition (SE)
- FactoryTalk® ViewPoint
- RSFieldBus™
- RSLinx® Classic
- RSLogix 500®
- RSLogix 5000®
- RSLogix™ 5
- RSLogix™ Emulate 5000
- RSNetWorx™
- RSView®32
- SoftLogix™ 5800
- Studio 5000 Architect®
- Studio 5000 Logix Designer®
- Studio 5000 View Designer®
- Studio 5000® Logix Emulate™
VULNERABILITY DETAILS
Vulnerability #1: CodeMeter Cross-Site Scripting
A Cross-Site Scripting ("XSS") vulnerability was found in certain versions of Wibu-Systems CodeMeter that may allow local attackers to inject arbitrary web script or HTML via a specific field in a configuration file, potentially allowing the attacker to access sensitive information, or even rewrite the content of the HTML page.
CVE-2017-13754 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 2.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N0/I:L/A:N
Vulnerability #2: FlexNet Publisher Remote Code Execution
A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow.
CVE-2015-8277 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers with affected versions of CodeMeter and/or FlexNet Publisher that were installed with FactoryTalk Activation Manager are encouraged to review the table below for suggested actions that will address the risks associated with these vulnerabilities.
| Currently Installed | Suggested Actions |
| FactoryTalk Activation Manager v4.01 and earlier | Update FactoryTalk Activation Manager to V4.02 and later. If unable to update FactoryTalk Activation Manager to V4.02, update CodeMeter to the latest version of CodeMeter that is compatible with FactoryTalk Activation Manager. For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibilty and Download Center (PCDC) Standard Views > Software Latest Versions > FactoryTalk Activation. UPDATE: July 20, 2018 Cisco has released Snort Rule 38246, Snort Rule 38247. |
Customers are encouraged, when possible, to combine the updates above with these general security guidelines to employ multiple strategies simultaneously.
GENERAL SECURITY GUIDELINES
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Wibu Systems AG CodeMeter 6.50b - Persistent XSS Vulnerability (From SecurityFocus)
- Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability (From the Vulnerability Notes Database)
- ICS-CERT Advisory (ICSA-18-102-02) Rockwell Automation FactoryTalk Activation Manager
REVISION HISTORY
| Date | Version | Details |
| 20-July-2018 | 1.2 | Added Snort Rules for FlexNet Publisher |
| 29-May-2018 | 1.1 | ICS-CERT Advisory Link Added |
| 12-Apr-2018 | 1.0 | Initial Release |
KCS Status
