RSLogix 5000 Password Hole Fixed

Wednesday, February 5, 2014 @ 02:02 PM gHale


Rockwell Automation produced a new version that mitigates a password vulnerability in the Rockwell Automation RSLogix 5000 software, according to a report on ICS-CERT.

The following RSLogix 5000 software versions suffer from the issue, discovered by Independent researcher Stephen Dunlap: Project files (.ACD) created using RSLogix 5000 software, V7 through V20.01 and V21.0 containing password protected content.

RELATED STORIES
3S Fixes CoDeSys Runtime Toolkit Hole
Schneider Patches DNP3 Vulnerability
GE Proficy Vulnerabilities
S4 Report: Ecava Vulnerability

The RSLogix 5000 software vulnerability may allow customer-defined passwords, used to protect certain user-configured content, to end up compromised. Successful exploitation may result in an unauthorized disclosure of user-created content. Exploitation will not directly disrupt operation of Rockwell Automation programmable controllers or other devices in the control system.

Rockwell Automation, which is a U.S.-based company, provides industrial automation control and information products worldwide across a wide range of industries.

The affected product, RSLogix 5000 software, is design and configuration software used with certain Rockwell Automation products. The software is in systems deployed across several sectors including chemical, critical manufacturing, food and agriculture, water and wastewater, and others, according to Rockwell Automation. It is a globally available product used in the United States and the rest of the world.

The vulnerability in RSLogix 5000 software, V7 through V20.01 and V21.0 may allow customer-defined passwords, used to protect certain user-configured content, to end up compromised. Such passwords can help prevent unauthorized access and viewing or tampering of particular content stored in controller configuration programs. Successful exploitation will not directly disrupt operation of Rockwell Automation programmable controllers or other devices in the control system.

CVE-2014-0755 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.

This vulnerability is not exploitable remotely and cannot undergo exploitation without user interaction. The exploit only ends up triggered when a local user accesses the password file.

No known public exploits specifically target this vulnerability. An attacker with a medium skill would be able to exploit this vulnerability.

New RSLogix 5000 versions, V20.03 and V21.03, address this vulnerability, Rockwell said. These releases include mitigations that enhance password protection.

Project files created in earlier affected RSLogix 5000 versions of software must end up opened, resaved, and then downloaded to the appropriate controller to mitigate the risk associated with this discovered vulnerability.

One important note Rockwell said was files with protected content opened and updated using enhanced software will no longer be compatible with earlier versions of RSLogix 5000 software. For example, a V20.01 project file with protected content opened and resaved using V20.03 software can only open with V20.03 and higher versions of software. Also, a V21.00 project file with protected content opened and resaved using V21.03 software can only open with V21.03 and higher versions of software.

For the procedure to update project files, please refer to Rockwell Automation Knowledgebase AID:565204.

In addition to using current RSLogix 5000 software, Rockwell Automation also recommends the following actions to all concerned customers:
• Where possible, adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivatives that contain protected content.
• Where possible, securely archive protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, store protected ACD files in physical and logical locations where access can end up controlled and the files are stored in a protected, potentially encrypted manner.
• Where possible, securely transmit protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, email protected ACD files only to known recipients and encrypted the files such that only the target recipient can decrypt the content.
• Where possible, restrict physical and network access to controllers containing protected content only to authorized parties in order to help prevent unauthorized uploading of protected material into an ACD file. For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a Role-based Access Control (RBAC) solution to their system. FactoryTalk Security integrated into RSLogix 5000 Version 10.00.
• Where possible, use a unique and complex password for each routine or Add-On Instruction desirable to protect, so as to reduce the risk that multiple files and protected content could end up compromised, should a single password become learned.
• Where possible, adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain usable for an extended period of time or indefinitely.

Rockwell Automation encourages their customers to subscribe to Rockwell Automation’s Security Advisory Index (AID:54102) for new and relevant information relating to this and other security-related matters.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web page.



Leave a Reply

You must be logged in to post a comment.