Additional Patches for Rockwell

Tuesday, October 8, 2013 @ 03:10 PM gHale


Rockwell Automation first patched multiple input validation vulnerabilities in its FactoryTalk Services Platform (RNADiagnostics.dll) and RSLinx Enterprise Software (LogReceiver.exe and Logger.dll), according to a report on ICS-CERT.

But that was not all, as researcher Carsten Eiram of Risk Based Security, who found the original vulnerabilities, found additional bugs after the patches released. Rockwell has now released new patches that mitigate those additional remotely exploitable holes.

RELATED STORIES
Philips Fixes Buffer Overflow
Bug in Siemens SCALANCE X-200
Emerson Patches RTU Holes
Schneider Continues Quantum Fixes

The following FactoryTalk Services Platform and RSLinx Enterprise product versions suffer from the issue:
• CPR9
• CPR9-SR1
• CPR9-SR2
• CPR9-SR3
• CPR9-SR4
• CPR9-SR5
• CPR9-SR5.1
• CPR9-SR6

A successful attack of these vulnerabilities may result in a denial of service (DoS) condition to the services, service termination, and the potential for code injection.

Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.

FactoryTalk Services Platform (FTSP) shares data throughout a distributed system and enforces redundancy and fault tolerance while tracking changes in the system.

RSLinx Enterprise sees use in design and configuration, which provides plant-floor device connectivity for multiple Rockwell software applications. This software also has open interfaces for third-party human-machine interfaces (HMIs), data collection and analysis packages, as well as custom client-applications.

According to Rockwell Automation, both products deploy across several sectors including agriculture and food, water, chemical, manufacturing, and others. The Rockwell product Web site said these products are in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the RNADiagnostics.dll or RNADiagReceiver.exe service to terminate.

CVE-2012-4713 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The FactoryTalk Services Platform (RNADiagnostics.dll) does not handle input correctly and cannot allocate an over-sized integer. By sending an over-sized integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the service to terminate.

CVE-2012-4714 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does not handle input correctly and results in a logic error if it receives a zero or large byte datagram. If an attacker sends a datagram of zero byte size to the receiver over Port 4444/UDP (user-configurable, not enabled by default), the attacker would cause a DoS condition where the service silently ignores further incoming requests.

After discussion with the researcher and vendor, this vulnerability was a duplicate of CVE-2012-4715, and therefore the two vulnerabilities ended up combined. CVE-2012-4715 will now end up retracted from the NVD Web site.

CVE-2012-4695 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it receives a datagram with an incorrect value in the “Record Data Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to an oversized value, an attacker could cause an out-of-bounds read access violation that leads to a service crash. A manual reboot can recover the service.

CVE-2013-2805 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the “Total Record Size” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size” that will cause an out-of-bounds read access violation that leads to a service crash. A manual reboot can recover the service.

CVE-2013-2807 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the “End of Current Record” field. By sending a datagram to the service over Port 4444/UDP with the “Record Data Size” field modified to a specifically oversized value, the service will calculate an undersized value for the “Total Record Size.” Then the service will calculate an incorrect value for the “End of Current Record” field causing access violations that lead to a service crash. A manual reboot can recover the service.

CVE-2013-2806 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

No known public exploits specifically target these vulnerabilities, but an attacker with a low skill would be able to exploit these vulnerabilities.

Rockwell Automation’s recommendation to asset owners using FTSP or RSLinx CPR9 through CPR9-SR4 is to upgrade to CPR9-SR5 or newer. Rockwell Automation also recommends all asset owners using FTSP or RSLinx CPR9-SR5 and newer should apply the correlating patch for the version they are using.

The patches and details pertaining to these vulnerabilities are on the Rockwell Automation Security Advisory site (login required).



Leave a Reply

You must be logged in to post a comment.