Introduction
Description
Version 1.0 - November 27, 2018
Rockwell Automation received a report detailing vulnerabilities in software components that are shared by products that utilize the FactoryTalk® Services Platform. These vulnerabilities, if successfully exploited, may result in diminished communication or complete communication loss (denial of service) to the products that utilize the targeted services. FactoryTalk Services Platform consists of a suite of services, which create a services-oriented architecture (SOA). The SOA enables real-time data sharing across a range of software applications used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
FactoryTalk Services Platform, v2.90 and earlier.
Note: This vulnerability is addressed in FactoryTalk Services Platform v3.00. Additional software patches and details are provided in the Risk Mitigations and Recommended User Actions section below.
Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you have a product from the following list, you may also be affected. If you are unsure of which FactoryTalk Services Platform version is installed on your machine, see Knowledgebase Article ID 25612 for additional details.
- FactoryTalk AssetCentre
- FactoryTalk Activation Manager
- FactoryTalk Alarms & Events
- FactoryTalk Batch
- FactoryTalk eProcedure®
- FactoryTalk Gateway
- FactoryTalk Historian Site Edition (SE)
- FactoryTalk Linx (formerly: RSLinx Enterprise)
- FactoryTalk Metrics
- FactoryTalk Transaction Manager
- FactoryTalk VantagePoint®
- FactoryTalk View Machine Edition (ME) (Studio Only - no impact to PanelView Plus products)
- FactoryTalk View Site Edition (SE)
- FactoryTalk ViewPoint SE
- RSLinx® Classic
- RSLogix 5000® (v20 Only) / Studio 5000 Logix Designer®
- RSNetWorx™
- Studio 5000 Architect®
VULNERABILITY DETAILS
A remote, unauthenticated threat actor could send numerous crafted packets the following service ports: 1332, 5241, 6543, and 4241, resulting in a growth in memory consumption that could lead to a partial or complete denial of service condition to products utilizing the targeted services until the process is restarted.
CVE-2018-18981 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Customers using affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| Currently Installed | Suggested Actions | 
| FactoryTalk® Services Platform, v2.90 and earlier | Update FactoryTalk Services Platform to v3.00 and later (Download) For customers who are unable to update to V3.00, software patches have been released for the following versions: V2.74 V2.80 V2.81 V2.90 These patches can be found at Knowledgebase Article ID 1082055. | 
GENERAL SECURITY GUIDELINES
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
- Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
- Use trusted software, software patches, and anti-virus/anti-malware programs.
- Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.
ADDITIONAL LINKS
- 54102 - Industrial Security Advisory Index
- Industrial Firewalls within a CPwE Architecture
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
REVISION HISTORY
| Date | Version | Details | 
| 27-Nov-2018 | 1.0 | Initial Release |