Rockwell Clears Parser Buffer Overflow
Thursday, September 15, 2016 @ 03:09 PM gHale
Rockwell Automation patched a parser buffer overflow vulnerability in its RSLogix Starter Lite, then upon further investigation found, and fixed, the issue in its RSLogix 500 and other versions of RSLogix Micro, according to a report with ICS-CERT.
A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the logged-in user. The impact to the user’s environment is highly dependent on the type of malicious code included in the attack and the mitigations the user may already employ.
Rockwell Automation reports that the vulnerability, discovered by Ariele Caltabiano (kimiya) working with Trend Micro’s Zero Day Initiative (ZDI) affects the following products:
• RSLogix Micro Starter Lite, all versions
• RSLogix Micro Developer, all versions
• RSLogix 500 Starter Edition, all versions
• RSLogix 500 Standard Edition, all versions
• RSLogix 500 Professional Edition, all versions
Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.
The affected products, RSLogix 500 and RSLogix Micro, are design and configuration software used with certain Rockwell Automation products. The software is for use in systems deployed across several sectors, including chemical, critical manufacturing, food and agriculture, and water and wastewater systems. Rockwell said this product sees use on a worldwide basis.
The discovered vulnerability exists in the code that opens and parses the RSLogix 500 and RSLogix Micro project files with an RSS extension.
In order for attackers to exploit this vulnerability in RSLogix 500 and RSLogix Micro, they must create a malicious RSS file.
The buffer overflow condition ends up exploited if an affected version of the product opens a malicious project file. If the attack is successful, the malicious code will run at the same privilege level as the user logged into the machine.
CVE-2016-5814 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed RSS file.
No known public exploits specifically target this vulnerability.
Crafting a working exploit for this vulnerability would be easy. An exploit would require social engineering to convince the user to accept the malformed RSS file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.
Rockwell recommends the following precautionary measures as additional risk mitigation strategies for this type of attack. If possible, employ multiple strategies simultaneously:
• Users using affected versions of RSLogix 500 and RSLogix Micro are encouraged to apply the patch that addresses associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks. RSLogix Micro version 8.40.00 or RSLogix 500 version 8.40.00: Apply patch KB878490, which can be found on Rockwell’s web site.
• Do not open untrusted RSS files with RSLogix 500 and RSLogix Micro.
• Run all software as user, not as an administrator to minimize the impact of malicious code on the infected system.
• Use trusted software, software patches, and anti-virus/anti-malware programs, and interact only with trusted web sites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Use of Microsoft AppLocker or other similar whitelisting application can help mitigate risk. Click here for information on using AppLocker with Rockwell products.
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should end up updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
For more information on this issue, click on Rockwell’s publication KB89582.