Rockwell Automation released new software to fix multiple vulnerabilities in its RSLinx Classic, according to a report with NCCIC.
The vulnerabilities are a stack-based buffer overflow, heap-based buffer overflow, and a resource exhaustion.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Rockwell Automation working with Tenable and Younes Dragoni of Nozomi Networks, could crash the device being accessed or allow arbitrary code execution on the device.
A software platform that allows Logix5000 Programmable Automation Controllers to connect to a wide variety of Rockwell Software applications, RSLinx Classic Versions 4.00.01 and prior suffer from the vulnerabilities.
The stack-based buffer overflow may allow a remote threat actor to intentionally send a malformed CIP packet to Port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.
CVE-2018-14829 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.
In the heap-based buffer overflow, it may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to Port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.
CVE-2018-14821 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In the resource exhaustion issue, a remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to Port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.
CVE-2018-14827 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Rockwell Automation released a new version of the software that can found at Rockwell Automation knowledgebase article KB 1075712 (login is required):
Rockwell Automation also reports users can disable Port 44818 if it is not utilized during system operation. For more details on how to disable the port and for Rockwell Automation’s general security guidelines, please visit knowledgebase article KB 1075747 (login is required):
Please see Rockwell Automation’s industrial security advisory at the following location on their website for further details (login is required):