Introduction
Description
Version 1.1 - FEBRUARY 14 - 2017
UPDATE: Feb 14, 2017 Rockwell Automation has released a new version of software, v11.00.00, which contains the remediation for this vulnerability. Affected customers are encouraged to update to the most recent release to take advantage of the latest security patches.
In June 2016, Rockwell Automation was notified by ICS-CERT of a buffer overflow vulnerability that exists in its RSLogix™ Micro Starter Lite product, a free starter programming software used to program logic for the Allen-Bradley MicroLogix™ product family.
 
 This vulnerability is not remotely executable, and successful social engineering is required to convince a victim of using the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the logged-in user. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. Currently, there is no publicly available exploit code relating to this vulnerability.
 
 Rockwell Automation has evaluated the report and confirmed the existence of this vulnerability in RSLogix™ Micro Starter Lite. We further investigated and confirmed this vulnerability in the additional versions of RSLogix 500® and RSLogix™ Micro. We have released updated software to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version.  Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.
AFFECTED PRODUCTS
- RSLogix™ Micro Starter Lite, Versions 10.00.00 and earlier
- RSLogix™ Micro Developer, Versions 10.00.00 and earlier
- RSLogix 500® Starter Edition, Versions 10.00.00 and earlier
- RSLogix 500® Standard Edition, Versions 10.00.00 and earlier
- RSLogix 500® Professional Edition, Versions 10.00.00 and earlier
A patch for v8.40.00 is available now and is only for v8.40.00, links are provided below. The remediation will also be available in the next major revision of the software. This advisory will be updated when additional versions are available.
VULNERABILITY DETAILS
The discovered vulnerability exists in the code that opens and parses the RSLogix 500 and RSLogix Micro project files, identified by the RSS extension. In order for this vulnerability to be exploited in RSLogix 500 and RSLogix Micro, an attacker must create a malicious RSS file, which is the native file format for this software package. If the malicious project file is opened by an affected version of the product, the buffer overflow condition is exploited. Likewise, if the attack is successful, the unknown code will run at the same privilege level as the user who is logged into the machine.
 
 Exploitation of this vulnerability requires the attacker to successfully convince a user to open a modified project file on their machine.
 
 Potential impacts from a successful attack could include a software crash (for example, Denial of Service) which then requires a software restart. However, in more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset.  A successful attack that includes malicious code injection may potentially grant the attacker the same or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.
CVE-2016-5814 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS v3 vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
RISK MITIGATIONS
The following precautionary measures are recommended as additional risk mitigation strategies for this type of attack. If possible, multiple strategies should be employed simultaneously.
- Do not open untrusted .RSS files with RSLogix 500 and RSLogix Micro.
- Customers using affected versions of RSLogix 500 and RSLogix Micro are encouraged to apply the patch that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. (Note: Patch is for v8.40.00 ONLY! Do NOT apply to other versions!) Product Family Catalog Numbers Software Versions Suggested Actions RSLogix Micro 9324-RLMx 8.40.00 878490 - Patch: Crash when opening project, RSLogix 500 8.40.00 RSLogix Micro 9324-RLMx Versions 10.00.00 and earlier Update to V11.00 or later (Download) RSLogix 500 9324-RL0x 8.40.00 878490 - Patch: Crash when opening project, RSLogix 500 8.40.00 RSLogix 500 9324-RL0x Versions 10.00.00 and earlier Update to V11.00 or later (Download) 
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at 546989 - Using Rockwell Automation Software Products with AppLocker .
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.
If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.
ADDITIONAL LINKS
54102 - Industrial Security Advisory Index
 878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
 ICS-CERT Advisory ICSA-16-224-02
·
Revision History: 
14-FEB-2017 Version 1.1  Added details for V11.00.00.