Rockwell Automation created a new version of software that fixes a parser buffer overflow vulnerability first reported in September in its RSLogix Starter Lite, and also, after further investigation in its RSLogix 500 and other versions of RSLogix Micro, according to a report with ICS-CERT.
The new software is version v11.00.00. Ariele Caltabiano (kimiya) working with Trend Micro’s Zero Day Initiative identified the vulnerability.
Rockwell said the vulnerability affects the following products:
• RSLogix Micro Starter Lite, Version 10.00.00 or prior
• RSLogix Micro Developer, Version 10.00.00 or prior
• RSLogix 500 Starter Edition, Version 10.00.00 or prior
• RSLogix 500 Standard Edition, Version 10.00.00 or prior
• RSLogix 500 Professional Edition, Version 10.00.00 or prior
A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the logged-in user. The impact to the user’s environment is highly dependent on the type of malicious code included in the attack and the mitigations that the user may already employ.
Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.
The affected products, RSLogix 500 and RSLogix Micro, are design and configuration software used with certain Rockwell products. The software sees use in systems deployed across several sectors, including chemical, critical manufacturing, food and agriculture, and water and wastewater systems. The product sees action on a global basis.
The discovered vulnerability exists in the code that opens and parses the RSLogix 500 and RSLogix Micro project files with an RSS extension. In order for attackers to exploit this vulnerability in RSLogix 500 and RSLogix Micro, they must create a malicious RSS file. The buffer overflow condition ends up exploited if an affected version of the product opens a malicious project file. If the attack is successful, the malicious code will run at the same privilege level as the user who is logged into the machine.
CVE-2016-5814 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads the malformed RSS file. No known public exploits specifically target this vulnerability.
Crafting a working exploit for this vulnerability would not be easy. An exploit would require social engineering to convince the user to accept the malformed RSS file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.
Rockwell recommended the following precautionary measures as additional risk mitigation strategies for this type of attack. If possible, employ multiple strategies simultaneously.
• Users using affected versions of RSLogix 500 and RSLogix Micro should update to Version 11.00.00 that addresses associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks. Click here to download Version 11.00.00 on Rockwell’s web site.
• Users of RSLogix Micro Version 8.40.00 or RSLogix 500 Version 8.40.00 may apply patch KB878490 until they are able to update to Version 11.00.00. Click here to download the patch on Rockwell’s web site.
• Do not open untrusted RSS files with RSLogix 500 and RSLogix Micro.
• Run all software as user, not as an administrator to minimize the impact of malicious code on the infected system.
• Use trusted software, software patches, and anti-virus/anti-malware programs, and interact only with trusted web sites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Use of Microsoft AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at the following URL with a valid account. https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For more information on this issue, see Rockwell’s publication 898582 on its web site.