Introduction
Description
July 26, 2011 - version 1.0
An anomaly affecting specific versions of RSLogix 5000 software has been brought to Rockwell Automation’s attention by independent researchers and ICS-CERT. The identified anomaly relates to how RSLogix 5000 software, versions 19 and earlier, processes its native format .ACD project files.
Details of this anomaly are as follows:
The potential exists for affected versions of RSLogix 5000 software to accept a maliciously altered ACD project file that can result in an integer overflow condition, which can in turn cause the RSLogix 5000 software to terminate unexpectedly. In addition, the possibility for the injection of malicious software during this condition has not been definitively ruled out.
This anomaly affects all RSLogix 5000 releases up to and including Version 19.
There are no known exploits involving this anomaly. Successful exploitation would require social engineering to introduce and convince a user to open a maliciously altered ACD file. Additionally, there is no known proof-of-concept code or means to demonstrate results any more serious than the unexpected termination of the RSLogix 5000 application. Rockwell Automation’s technical evaluation and testing confirm the presence of this anomaly, but similarly indicates successful exploitation as a security vulnerability remains only theoretically possible. Furthermore, it has been confirmed that no escalation of privilege can result from successful exploitation of this anomaly.
Mitigation Strategy:
This anomaly will be addressed in the next release of RSLogix 5000, Version 20, and subsequent releases thereafter.
Additional recommendations to mitigate potential risk:
• Do not run RSLogix 5000 software in Administrator Mode.
• Only open ACD files from known and trusted sources.
• Store and transmit trusted ACD files in a secure manner and protect them as assets.
• Consider digitally signing trusted ACD files to authenticate their origin and indicate any file tampering.
Note: RSLogix 5000 software does not include a means to digitally sign ACD files; however, there are commercially available tools that can be used such as PGP, GnuPG to apply signatures to ACD and other files.
To help further enhance overall control system security, Rockwell Automation also recommends the following strategies. When possible, multiple strategies should be employed simultaneously:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
Rockwell Automation continues to investigate and evaluate other strategies such as product and system-level techniques and functional enhancements to enhance security and reduce the likelihood of file tampering.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security .
