Loading

PN676 | FactoryTalk RnaUtility.dll Vulnerability

Advisory ID:
PN676
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Summary
FactoryTalk RnaUtility.dll Vulnerability

Introduction

FactoryTalk RnaUtility.dll Vulnerability

Description

Publicly disclosed September 13, 2011 as RSLogix 5000 Denial of Service Vulnerability

Updated October 5, 2011

This advisory is a replacement and update to AID#: 456065

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix™ 5000 software that if successfully exploited, may result in a Denial of Service condition. Since the release of this information, we have been evaluating the specific vulnerability and associated risk.

We have confirmed the existence of this vulnerability in a particular software service employed by RSLogix 5000 and FactoryTalk®-branded Rockwell Automation software products.

Affected Products:

Product Description

Affected Versions

RSLogix 5000 software

Versions V17, V18 and V19

All FactoryTalk-branded software

CPR9 and CPR9-SR1 through SR4


Vulnerability Details and Impacts:

The particular vulnerability affects a software service in Rockwell Automation’s FactoryTalk Services Platform (FTSP). Although the installation of FTSP is optional, the specific service is also employed separately with a variety of Rockwell Automation software applications.

The Rockwell Automation Security Taskforce has determined that exploitation of this vulnerability can result in a potential Denial of Service (DoS) in RSLogix 5000 software. Specifically, it can result in RSLogix 5000 being unable to publish information to FactoryTalk Diagnostics and FactoryTalk AssetCentre. Additionally, exploitation can lead to a potential for a DoS and Denial of View (DoV) condition to other affected FactoryTalk-branded software. Such DoS and DoV conditions can prevent affected software from establishing communication or maintaining information exchange with servers and other control system devices.

There is no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.

Vulnerability Mitigation:

A software patch for affected FactoryTalk Services Platform and RSLogix 5000 software has been released. Rockwell Automation recommends concerned customers apply this patch roll-up at their earliest convenience:

Recommended
Mitigation

Product Description

Current Version

Recommendations

FactoryTalk Services Platform (FTSP)

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4

Apply patch roll-up:

AID#458689

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/458689

RSLogix 5000

V17, V18, V19

NOTE: FactoryTalk Services Platform CPR7 and earlier and RSLogix 5000 V16 and earlier are not affected by this vulnerability.

Other Mitigation Techniques:

We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and follow good security practices and system design.

Rockwell Automation, in collaboration with NitroSecurity, has released a specific SNORT® signature suitable for many popular Intrusion Detection Systems (IDS). Use of this signature can help further reduce risk of successful remote exploitation of this vulnerability. This signature has been supplied to the QuickDraw SCADA IDS project, originally funded by US Department of Energy, for inclusion in the QuickDraw signature database. http://www.digitalbond.com/tools/quickdraw/

Rockwell Automation has evaluated Symantec Endpoint Protection (SEP) and validated a rule that blocks the known exploitation for SEP. We recommend that SEP definitions be kept up to date. For more information, refer to: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24527

In addition, the following security strategies are some techniques that will help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Configure firewall ingress/egress rules to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:

1330

1331

1332

4241

4242

4445

4446

5241

6543

9111

60093

49281

4. Evaluate firewall configurations to ensure other appropriate traffic is blocked.

5. Use antivirus/antimalware and endpoint security solutions and verify security definitions for are kept up to date.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left United Kingdom Chevron RightChevron Right
  2. Chevron LeftChevron Left Support Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our Privacy Policy
CloseClose