Introduction
Description
November 2, 2012 - version 1.0
In response to the ICS-CERT Advisory ICSA-12-201-01 – OSISOFT PI OPC DA INTERFACE BUFFER OVEFLOW, Rockwell Automation’s Security Taskforce conducted a thorough evaluation of Rockwell Automation products that include, or make use of the affected OSIsoft PI OPC DA interface software.
AFFECTED PRODUCTS
As a result of Rockwell Automation’s evaluation, we have determined the following Rockwell Software-brand product includes, and makes use of the OSIsoft PI OPC DA software interface:
FactoryTalk™ Historian SE versions 2.10.00, 2.20.00 and 3.00.00
VULNERABILITY DETAILS
Per ICSA-12-201-01, OSIsoft, LLC proactively disclosed the presence of "a stack-based buffer overflow in the PI OPC DA interface software that could cause the software to crash or allow a remote attacker to execute arbitrary code." Furthermore, "Successful exploitation of this vulnerability could allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system."
Rockwell Automation includes and installs the PI OPC DA interface software with FactoryTalk™ Historian SE; however, this interface is NOT configured and it is NOT running by default. When the PI OPC DA interface software that has been included with the install is used for OPC communications, it is similarly susceptible to the above mentioned stack-based vulnerability and the system-wide effects of successful exploitation of the weakness.
RISK MITIGATION
ICSA-12-201-01 states, "OSIsoft has published a customer notification, and has released a product update that resolves this vulnerability." This release applies specifically to OSIsoft PI OPC DA software.
Rockwell Automation has validated this OSIsoft product update and taken similar measures to proactively release a product update for affected Rockwell Software FactoryTalk Historian SE versions. The software update and associated installation instructions can be found in the Rockwell Automation Knowledgebase at:
AID: 509721 - https://rockwellautomation.custhelp.com/app/answers/detail/a_id/509721
NOTE: We recognize that not all FactoryTalk Historian SE users employ the OPC interface; nonetheless, Rockwell Automation still recommends the above software update be applied to affected software to help mitigate potential future risk should the interface software be used at a later time.
In addition to applying the above software update to affected products, Rockwell Automation’s Security Taskforce recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/security
