Version 1.1 - May 18, 2017
Introduction
On May 10, 2017, a new ransomware attack called "WannaCry" (also known as "WannaCrypt"), began affecting Microsoft Windows personal computers ("PCs") around the world. The ransomware is a self-propagating "worm" that infects any vulnerable host that has not patched the SMBv1 Windows vulnerability. This vulnerability was patched in March 2017 by Microsoft and has been named "MS17-010", which is included in the monthly Microsoft roll-ups: "MS17-006".
Unlike previous ransomware variants that require social engineering ("phishing"), WannaCry takes advantage of a publicly known vulnerability in Microsoft Windows, which allows it to spread quickly throughout a network and infect additional hosts with no user interaction.
As of this writing, there is no known direct impact to Rockwell Automation products from this ransomware. However, customers who use Rockwell Automation software products may be vulnerable to this attack since this software runs on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.
Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary payment in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically, the user must pay a ransom (in some form of untraceable currency), and must do so before the deadline expires and the decryption key is destroyed.
Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows are likely vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.
Affected Products
According to Microsoft's MS17-010 Security Bulletin, the following operating systems contain the vulnerability:
- Windows XP
- Windows 7
- Windows 8
- Windows 10
- Windows Server 2003
- Windows Server 2008 R1/R2
- Windows Server 2012
- Windows Server 2016
Note: Both 32-bit and 64-bit versions are vulnerable.
At the time of this writing, and according to Microsoft, no versions of Windows CE are affected by these vulnerabilities."
Vulnerability Details
According to Microsoft's MS17-010 Security Bulletin:
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Risk Mitigation & User Action
Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to ensure that there are no unexpected results or side effects.
The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 8.1, Windows 7 SP1, and Windows Server 2008 R2 SP1. For detailed information on versions tested, visit the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.
1.) For any supported operating systems, utilize the "Windows Update" feature to download and apply updates.
2.) For unsupported operating systems, download English language security updates directly:
3.) For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
4.) Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
Note: This will prevent file shares from working in some instances.
The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.
The Rockwell Automation MS Patch Qualification team has not qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End-of-Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.
In addition, Cisco Talos has released IPS/IDS Snort rules to detect and defend against WannaCry. See their blogpost for additional information.
Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.
General Security Guidelines
1.) Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
2.) Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
3.) Run all software as User, not as Administrator.
4.) Use trusted software and software patches that are obtained only from highly reputable sources.
5.) Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6.) Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
7.) Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
8.) When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
