Introduction
Description
February 12, 2015 - version 1.0
A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in software components that comprise and are shared by the FactoryTalk Services Platform used in FactoryTalk-branded product and FactoryTalk View Studio.
These vulnerabilities are not exploitable remotely without user interaction. The exploits are only triggered when a local user runs the vulnerable application, and it loads the malformed DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run an untrusted file or to access a malicious webpage using a browser susceptible to redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer.
At this time there is no known publicly available exploit code.
Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and released new FactoryTalk Services Platform and FactoryTalk View Studio software to address associated risk. Customers using affected versions of this software are encouraged to upgrade to the newest available software versions or apply appropriate patches as indicated below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
The following software has been confirmed to be susceptible to the reported vulnerability:
| Software Name | Version | Verify Software Version Method |
| FactoryTalk Services Platform (FTSP) | All versions prior to and not including 2.71 | Software version can be verified using Windows Add/Remove programs utility |
| FactoryTalk View Studio | Version 8.00.00 and all prior versions | Software HelpAbout |
VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS
It was discovered that certain DLLs (Dynamic Link Library) that are included with older versions of FactoryTalk Services Platform and View Studio software can be potentially hijacked to allow an attacker to gain access rights to a victim’s affected PC. Such access rights can be at the same, or potentially higher level of privileges as the compromised user account, including up to computer administrative privileges.
DLL hijacking is a known and documented vulnerability affecting Microsoft Windows operating systems. Exploitation of this vulnerability typically requires social engineering to successfully introduce a malicious DLL onto a target computer and within a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.
To exploit this vulnerability, an attacker would either have to breach account access or get someone to install software or a specific DLL that was not approved. The malicious DLL would need to be installed onto the target computer in a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.
When a DLL vulnerability is exploited, trusted software can unknowingly load an untrusted DLL in place of the intended DLL. Its effects can range from a software crash (i.e. Denial of Service) requiring software restart, to more significant events such as the injection of malicious code into trusted processes. The malicious code can also access process memory space that may store sensitive information or additional services that may be manipulated by the modified DLL.
CUSTOMER RISK MITIGATION AND REMEDIATION
Although there are no known exploits at this time, customers using affected versions of the FactoryTalk Services Platform and View Studio are encouraged to upgrade to the newest available software versions where possible, or to apply appropriate patches.
Upgrade affected products as follows:
| Software | Catalog Number | Affected Firmware | Recommendation | |
| FactoryTalk Services Platform (FTSP) | N/A | All software versions prior to and not including 2.71.00 | >>> | Upgrade to V2.71.00 or higher (available now) If an upgrade is not currently possible, apply Patch V2.70.00: KB#631115 Note: This software is included with Studio 5000™ software Version 24 and higher. |
| FactoryTalk View Studio | 9701-VWSS000LENE | Version 8.00.00 and all prior versions | >>> | Apply software patch for V8.00.00 or higher: KB#631115 Note: When available, FactoryTalk View Studio V8.10.00 will include this standalone software patch. |
If a patch is not available for your system, customers are still advised to maintain good practices to not allow unauthorized access/software in their production systems.
Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.
- Limit access to those assets with FactoryTalk branded software, including View Studio and other software to authorized personnel
- Run all software as User, not as an Administrator
- Restrict network access to assets with FactoryTalk branded software, including View studio and other software as appropriate
- Use trusted software and software patches that are obtained only from highly reputable sources.
- Interact with, and only obtain software and software patches from trustworthy websites.
- Where possible, run only the newest versions of reputable web browsers that include enhanced protections against browser redirection.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
- Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
- Maintain layered physical and logical security, defense in depth design practices for the ICS
- Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
KCS Status
