Rockwell Patches FactoryTalk

Thursday, March 29, 2012 @ 11:03 AM gHale

Rockwell Automation has a patch for two vulnerabilities that may result in a denial-of-service (DoS) condition within FactoryTalk (FT).

The vulnerabilities first released by researcher Luigi Auriemma, along with proof-of-concept code, without coordination with ICS-CERT, the vendor, or other coordinating entity. The two vulnerabilities included an unexpected return value and a read access violation.

RELATED STORIES
Ecava Patches IntegraXor Vulnerability
GE Patches Series of Vulnerabilities
Multiple Holes with xArrow
ABB Patches Robot Software

Rockwell’s Security Taskforce said the following Allen-Bradley products suffer from the vulnerabilities:
• RSLogix 5000 (versions 17, 18, 19, 20)
• Factory Talk (CPR9 up to and including CPR9 SR5)
• FT Directory
• FT Alarms & Events
• FT View SE
• FT Diagnostics
• FT Live Data
• FT Server Health.

Successful exploitation of this vulnerability may result in a DoS.

Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries. The FactoryTalk Services Platform is a collection of production and performance management systems.

An unexpected return value can occur by a specially crafted packet which can cause the Rockwell Automation FactoryTalk RNADiagReceiver service listening on Port 4445/UDP to stop processing packets. This vulnerability may lead to a DoS condition. CVE-2012-0221 is the number assigned to this vulnerability.

A read access violation vulnerability exists in Rockwell Automation’s FactoryTalk platform. A specially crafted packet can go to the RNADiagReceiver service listening on Port 4445/UDP resulting in a possible DoS condition. CVE-2012-0222 is the number assigned to this vulnerability.

These are remotely exploitable and public exploits are targeting these vulnerabilities. An attacker with a low skill level may be able to exploit these vulnerabilities.

Rockwell developed a security update to address these vulnerabilities. To download and install the update please refer to the Rockwell Advisory.

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/469937

In addition to applying the patch, Rockwell Automation recommends customers configure firewalls to block the following TCP ports to prevent traversal of RNA messages into and out of the ICS system:
• 1330
• 1331
• 1332
• 4241
• 4242
• 4445
• 4446
• 6543
• 9111
• 60093
• 49281