Severity:
Medium
Advisory ID:
PN794
Date de publication:
January 25, 2021
Date de la dernière mise à jour:
January 25, 2021
Revision Number:
2.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2014-0755
Résumé
RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability
Revision History
Revision Number
2.0
Revision History
Version 2.0 – January 25, 2021 – Advisory updated for clarification.
Revision History
Revision Number
1.0
Revision History
Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.
Executive Summary
It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000® and Studio 5000 Logix Designer® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.
Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.
Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.
Vulnerability Details
CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.
CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.
CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N
Risk Mitigation & User Action
Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.
For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.
| Vulnerability Details | Recommended User Actions |
| CVE-2014-0755 | Risk Mitigation Strategy A: For stronger protection, apply License Source Protection introduced in v26. To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection Risk Mitigation Strategy B: In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:
|
IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.
For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.
General Security Guidelines
Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.