Loading

PN794 | RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability

Severity:
Medium
Advisory ID:
PN794
Published Date:
January 25, 2021
Last Updated:
January 25, 2021
Revision Number:
2.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2014-0755
Summary
RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability

Revision History
Revision Number
2.0
Revision History
Version 2.0 – January 25, 2021 – Advisory updated for clarification.
Revision History
Revision Number
1.0
Revision History
Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.

Executive Summary

It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000® and Studio 5000 Logix Designer® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.


Affected Products

Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.

Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.

Vulnerability Details

CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.

CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N

Risk Mitigation & User Action

Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2014-0755 Risk Mitigation Strategy A:
For stronger protection, apply License Source Protection introduced in v26.

To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix
5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection

Risk Mitigation Strategy B:
In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:
  • Adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivates that contain protected content if these files may need to be found or potentially disposed of in the future.
  • Securely archive project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, store project files that use Source Key Protection in physical and logical locations where access can be controlled, and the files are stored in a protected and potentially encrypted manner.
  • Securely transmit project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, email stored project files that use Source Key Protection only to known recipients and encrypt the files such that only the target recipient can decrypt the content.
  • Restrict the physical network access to controllers containing password protected content only to authorized parties to help prevent unauthorized uploading of protected material in an ACD file. Note: For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a role-based access control solution to their system. FactoryTalk Security was integrated into RSLogix 5000 v10.00 and above.
  •  Adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain useable for an extended period or indefinitely.


IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.

For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.

General Security Guidelines

Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS
  • PN1354 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • ICS Advisory (ICSA-14-021-01)

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Puerto Rico
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose