Rockwell Fixes RSView32 Vulnerability

Wednesday, May 27, 2015 @ 10:05 AM gHale

Rockwell Automation created a patch to mitigate a password encryption vulnerability in RSView32, according to a report on ICS-CERT.

Information Security Analysts Vladimir Dashchenko and Dmitry Dementjev of the Ural Security System Center (USSC) reported this vulnerability directly to Rockwell Automation.

Schneider Fixes OFS Server Hole
Emerson Fixes SQL Injection Issue
OleumTech Fixes WIO Family Holes
More Holes Filled in Healthcare System

RSView32 — 7.60.00 (CPR9 SR4) and all prior versions suffer from the issue.

An attacker who exploits this vulnerability may be able to gain access to user-defined passwords.

Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products across a wide range of industries.

The affected product, RSView32, is an HMI system used for monitoring and controlling automation machines and processes. RSView32 sees action across several sectors including critical manufacturing, energy, water and wastewater systems, and others. Rockwell Automation estimates that these products see use globally.

A vulnerability has been discovered in the encryption approach used by RSView32 to create a password storage file used with the software.

User-defined usernames and passwords for RSView32 end up stored within a specific file. The associated weakness in the file is a result of the software using older weak and outdated encryption algorithms compared to contemporary encryption technologies. Use of older algorithms may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can end up revealed.

This exploit requires an attacker gaining local access to the specific file storing passwords local to the RSView32 product. This involves local or remote access, reverse-engineering, and some form of successful social-engineering.

CVE-2015-1010 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.0.

This vulnerability is not exploitable remotely. This exploit only triggers when a local user obtains and decrypts the file containing access credentials.

No known public exploits specifically target this vulnerability. Crafting a working exploit for this vulnerability would be difficult.

The software patch released by Rockwell Automation for the RSView32 mitigates the risk associated with the discovered password vulnerability. Rockwell Automation encourages asset owners/operators using affected versions of the RSView32 to deploy this patch and take these additional precautions:
1. View the specific Rockwell Automation Advisory AID 700915 and the accompanying patch. Registered users login required for access.
2. Limit access to assets with RSView32 and other software to only authorized personnel.
3. Restrict and segment network access to assets with RSView32 and other software as appropriate.
4. Use trusted software and software patches obtained only from highly reputable sources.
5. Interact with, and only obtain software and software patches from trustworthy web sites.
6. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Click here for information on using AppLocker with Rockwell Automation products.
7. Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
8. Maintain layered physical and logical security, defense-in-depth design practices for the ICS.
9. Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
10. Upgrade the affected product to a more contemporary, in-support product and compatible operating system.
11. Establish a staged patch management and product upgrade strategy if one does not exist.

The vendor recommends customers consider upgrading their software and compatible operating systems to more contemporary versions wherever possible. It is also advisable users adopt measures to keep products current and patched.

For users who must continue to use RSView32, the vendor strongly recommends they upgrade the operating system on which the product runs, to a RSView32-compatible version that is as current as possible, and is still in support by the manufacturer.

Leave a Reply

You must be logged in to post a comment.