Loading

PN759 | FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability

Severity:
High
Advisory ID:
PN759
Published Date:
June 28, 2013
Last Updated:
June 28, 2013
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Summary
FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability

Introduction

FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability

Description

April 5, 2013

Updated: June 28, 2013

Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based
Security (www.riskbasedsecurity.com) identified vulnerabilities that affect a software component of the
FactoryTalk™ Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise
software (LogReceiver.exe and Logger.dll). These vulnerabilities have been confirmed to be remotely
exploitable which can lead to termination of affected software services and Denial of Service conditions.

To date, Rockwell Automation is not aware of any known cases of successful exploitation of these
vulnerabilities in operational systems. Furthermore, we are not aware of publicly available proof of
concept exploit code.

Rockwell Automation worked directly with Mr. Eiram to verify his findings, determine root cause and
validate the resulting software patches being issued for the FactoryTalk Services Platform and RSLinx
Enterprise software. Given the company’s focus on continuous improvement, added steps are being taken to
further enhance the development and testing processes associated with these products. As a result,
additional product hardening enhancements have been included in the referenced software patches and will
continue to be deployed via forthcoming product releases.

AFFECTED PRODUCTS

  • All FactoryTalk-branded software, including CPR9-SR0 through SR6
  • All RSLinx Enterprise software, prior to and including CPR9 and CPR9-SR1 through SR6

VULNERABILITY DETAILS AND IMPACTS

FACTORYTALK SERVICES PLATFORM
(RNADiagnostics.dll)

The software components exhibit a vulnerability as a result of missing input validation and improper
exception handling with streaming data. A specially crafted packet sent to TCP port 5241 will result in
a crash of the RsvcHost.exe service. A successful attack will result in the following:

  1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
  2. Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe
    diagnostic service.

The vulnerability can be exploited remotely from a network-based attack; however, no possibility of
malicious code injection or escalation of privilege on the host machine is known to result from
successful exploitation. There is also no indication that exploitation will directly disrupt operation
of a Rockwell Automation programmable controller, operator interface or other networked device connected
elsewhere in the local control system.

RSLINX ENTERPRISE SOFTWARE
(LogReceiver.exe and Logger.dll)

These software components exhibit a vulnerability as a result of a logic error in the service’s handling
of incoming requests on UDP port 4444 (user-configurable, but not enabled by default) of zero or large
byte datagrams. When successfully exploited, the vulnerability will cause the thread receiving data to
exit, resulting in the service silently ignoring further incoming requests. A successful attack will
result in two respective conditions:

  1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.
  2. Crash condition that disrupts further execution of the LogReceiver.exe

The vulnerability can be exploited remotely with the potential for code injection; however, no
possibility of escalation of privilege on the host machine is known to result from successful
exploitation. Although theoretical, a possibility of remote code execution has been identified. There
is also no indication that exploitation will directly disrupt operation of a Rockwell Automation
programmable controller, operator interface or other networked device connected elsewhere in the local
control system.

< Update Start>

As a result of additional analysis conducted by Risk Based Security, Inc. of the LogReceiver.exe service, additional enhancements have been made to the LogReceiver.exe to further increase resiliency of the service.

< Update End >



RISK MITIGATION

Software patches for affected FactoryTalk Services Platform and RSLogix Enterprise software are being
released to mitigate associated risk:

Product Description

Affected Versions

Recommendations

FactoryTalk Services Platform (FTSP)

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4,

Upgrade to FTSP CPR9-SR5 or newer

CPR9-SR5

Apply patch: AID#522048

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522048

CPR9-SR5.1

Apply patch: AID#522049

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522049

CPR9-SR6

Apply patch: AID#522052

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522052

Product Description

Affected Versions

Recommendations

RSLinx Enterprise

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4,

Upgrade to RSLinx CPR9-SR5 or newer

CPR9-SR5

Apply patch: AID# 544798

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/544798

Update: AID# 534705 has been replaced with AID: 544798 which includes additional security enhancements.

CPR9-SR5.1

Apply patch: AID# 545535

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545535

Update: AID# 537302 has been replaced with AID: 545535 which includes additional security enhancements.

CPR9-SR6

Apply patch: AID#545537

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545537

Update: AID# 535962 has been replaced with AID: 545537 which includes additional security enhancements.

Corrective actions have been taken to help ensure subsequent software versions of FactoryTalk Services
Platform, including FactoryTalk Diagnostics, and RSLinx Enterprise will remain free of this
vulnerability.

In addition to applying the above patches, to help further reduce the likelihood of compromise and the
associated security risk, Rockwell Automation recommends the following immediate mitigation strategies.
When possible, multiple strategies should be employed simultaneously:

  1. The RNADiagReceiver.exe service should only run on servers that will receive diagnostics from PanelView
    Plus terminals. It is advisable to disable this service via Microsoft Windows Service Control Panel for
    servers that do not require this service.
  2. Configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of
    the ICS system:
  • 1330
  • 1331
  • 1332
  • 4241
  • 4242
  • 4445
  • 4446
  • 5241
  • 6543
  • 9111
  • 60093
  • 49281

We also recommend concerned customers remain vigilant and continue to follow security strategies that
help reduce risk and enhance overall control system security. Where possible, we suggest you apply
multiple recommendations and complement this list with your own best-practices:

  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to
    individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for
    comprehensive information about implementing validated architectures designed to deliver these measures.
  2. Restrict physical and electronic access to automation products, networks and systems to only those
    individuals authorized to be in contact with control system equipment and perform product firmware
    upgrades to that equipment.
  3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

Concerned customers are encouraged to continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information
relating to this matter.

For more information and for assistance with assessing the state of security of your existing control
system, including improving your system-level security when using Rockwell Automation and other vendor
controls products, you can visit the Rockwell Automation Security Solutions web site at
http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our Privacy Policy
CloseClose