Loading

PN1540 | FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities

Severity:
High,
Medium
Advisory ID:
PN1540
Date de publication:
January 22, 2021
Date de la dernière mise à jour:
January 22, 2021
Revision Number:
2.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2020-5806,
CVE-2020-5801,
CVE-2020-5802,
CVE-2020-5807
Résumé
FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities

Revision History
Revision Number
2.0
Revision History

Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.


Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.


Version 1.0 - December 27, 2020. Initial Version.

Executive Summary

Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Vulnerability Affected Products
CVE-2020-5801 FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5802 FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5806 FactoryTalk Linx versions 6.10, 6.11, and 6.20.
CVE-2020-5807 FactoryTalk Services Platform version 6.20 and earlier.

Vulnerability Details

CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.

CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Version 3.0: Correction
Vulnerability Suggested Actions
CVE-2020-5801
CVE-2020-5802
Version 2.0: Apply patch found in BF26285.

Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 .
CVE-2020-5806 Version 3.0: Apply patch found in BF26287
CVE-2020-5807 For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID BF7490.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use Microsoft® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not open untrusted .ftd files with FactoryTalk Services Platform.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS
  • PN1354 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rõôckwéêll Æýýtõômåätíîõôn Hõôméê
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre {0} politique de confidentialité
CloseClose