Rockwell Patches Security Bugs

Monday, April 8, 2013 @ 06:04 PM gHale


Rockwell Automation has produced patches that mitigate the multiple input validation vulnerabilities in the company’s FactoryTalk Services Platform (RNADiagnostics.dll) and RSLinx Enterprise Software (LogReceiver.exe and Logger.dll), according to a report on ICS-CERT.

Rockwell Automation tested the patches to validate they resolve the remotely exploitable vulnerabilities.

RELATED STORIES
Cogent Fixes DataHub Bugs
Mitsubishi, Clorius Holes Released
Patches for Wind River Holes
Mitigation for Siemens Comm Modules

The following FactoryTalk Services Platform and RSLinx Enterprise products suffer from the issue: CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5 CPR9-SR5.1, and CPR9-SR6.

Successful exploitation of these vulnerabilities, discovered by researcher Carsten Eiram of Risk Based Security, may result in a denial of service (DoS) condition to the services, service termination, and the potential for code injection.

Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.

The affected product, FactoryTalk Services Platform (FTSP), shares data throughout a distributed system and enforces redundancy and fault tolerance while tracking changes in the system.

The other affected product, RSLinx Enterprise, is for design and configuration which provides plant-floor device connectivity for multiple Rockwell software applications. It also has open interfaces for third-party human-machine interfaces (HMIs), data collection and analysis packages, as well as custom client-applications.

Rockwell said both products work across several sectors including agriculture and food, water, chemical, manufacturing, and others. The Rockwell product Web site states that these products are used in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.

The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the RNADiagnostics.dll or RNADiagReceiver.exe service to terminate.

CVE-2012-4713 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The FactoryTalk Services Platform (RNADiagnostics.dll) does not handle input correctly and cannot allocate an over-sized integer. By sending an over-sized integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the service to terminate.

CVE-2012-4714 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does not handle input correctly and results in a logic error if it receives a zero byte datagram. If an attacker sends a datagram of zero byte size to the receiver over Port 4444/UDP (user-configurable, not enabled by default), the attacker would cause a DoS condition where the service silently ignores further incoming requests.

CVE-2012-4695 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does not handle input correctly and results in a logic error if it receives a large byte datagram. If an attacker sends a specially crafted datagram of large byte size to the receiver over Port 4444/UDP (user-configurable, not enabled by default), the attacker would cause the LogReceiver.exe service to terminate and have the potential to perform code execution.

CVE-2012-4715 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.

No known public exploits specifically target these vulnerabilities, but an attacker with a low skill would be able to exploit these vulnerabilities.

Rockwell’s recommendation to asset owners using FTSP or RSLinx CPR9 through CPR9-SR4 is to upgrade to CPR9-SR5 or newer. Rockwell also recommends all asset owners using FTSP or RSLinx CPR9-SR5 and newer should apply the correlating patch for the version they are using.

The patches and details pertaining to these vulnerabilities are at the Rockwell Automation Security Advisory link.

In addition, asset owners can find security information for other Rockwell Automation products at the Security Advisory Index page.



Leave a Reply

You must be logged in to post a comment.