Severity:
Critical,
High,
Medium
Advisory ID:
PN1500
Data pubblicazione:
April 23, 2020
Ultimo aggiornamento:
April 23, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2017-12819,
CVE-2019-8282,
CVE-2017-11497,
CVE-2017-11496,
CVE-2017-12818,
CVE-2017-11498,
CVE-2017-12821,
CVE-2017-12822,
CVE-2019-8283,
CVE-2017-12820
Riepilogo
FactoryTalk Activation Affected by Sentinel LDK Vulnerabilities
Revision History
Revision Number
1.0
Revision History
Version 1.0 / April 23, 2020 - Initial Release
Executive Summary
Kaspersky, a cybersecurity company, alerted Rockwell Automation of ten vulnerabilities in the hasplms service that is part of Gemalto’s HASP SRM, Sentinel HASP, and Sentinel LDK products. FactoryTalk® Activation provides the user a way to install the Sentinal LDK Runtime Environment. The Sentinal LDK Runtime Environment allows the installation of the necessary drivers to use Flexera dongles. Customers who are not using Flexera dongles to store activations would not be impacted by these vulnerabilitites.
These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Activation Manager v4.03.11 and below
- Includes Sentinal LDK Runtime Environment v7.50
Vulnerability Details
CVE-2017-12822: Remote Code Execution (RCE) via Admin Interface
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.
CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.
CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.
CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.
CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.
CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.
CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.
CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.
Risk Mitigation & User Action
Customers using the affected versions of FactoryTalk Activation are encouraged to update to FactoryTalk Activation version 4.04.00 or greater. This version addresses the associated risk and uses a version of Sentinel LDK Runtime Environment with no known vulnerabilities associated with it at time of publication.
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, refer to Knowledgebase Article ID 898270.
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.