Rockwell Automation has an update to mitigate a heap-based buffer overflow in its FactoryTalk Services Platform, according to a report with NCCIC. Successful exploitation of this vulnerability could allow a remote attacker to diminish communications or cause a complete denial of service to the device.
A services-oriented architecture platform, FactoryTalk Services Platform, v2.90 and earlier suffer from the remotely exploitable vulnerability, discovered by Andrey Zhukov. In the vulnerability, a remote unauthenticated attacker could send numerous crafted packets to service ports resulting in memory consumption that could lead to a partial or complete denial-of-service condition to the affected services. CVE-2018-18981 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the food and agriculture, transportation systems, and water and wastewater systems sectors, It also sees action on a global basis. No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability. Rockwell Automation recommends affected users update to the latest version of the application.
Click here to download the latest version. For more information see Rockwell Automation security advisory 1074747.
Rockwell Automation recommends the following practices to secure this and other control systems devices:
- Run all software as user, not as an administrator, to minimize the impact of malicious code on the infected system.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
- Refer to 546987 — Rockwell Automation Customer Hardening Guidelines for the latest published guidelines for PC hardening and software security.
- Use of Microsoft AppLocker or other similar whitelisting application can help mitigate risk. Click here for more information on using AppLocker with Rockwell Automation products (login required).
- Ensure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed. • Use trusted software, software patches, and anti-virus/anti-malware programs.
- Minimize network exposure for all control system devices and/or systems, and confirm they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.