Rockwell Automation has an update to mitigate cross-site scripting and an improper restriction of operations within the bounds of a memory buffer vulnerabilities in its Factory Talk, according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities, which Rockwell self-reported, could allow a remote attacker to access sensitive information, rewrite content, or cause a buffer overflow that could result in remote code execution.
Rockwell Automation reports these vulnerabilities affect licensing management software in the following FactoryTalk Activation Manager products:
• FactoryTalk Activation Manager v4.00 and v4.01
— Ships with Wibu-Systems CodeMeter v6.50b and earlier
• FactoryTalk Activation Manager v4.00 and earlier
— Ships with FlexNet Publisher v220.127.116.11 and earlier
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Users who recognize products from the following list are using FactoryTalk Activation Manager:
• FactoryTalk AssetCentre
• FactoryTalk Batch
• FactoryTalk EnergyMetrix
• FactoryTalk eProcedure
• FactoryTalk Gateway
• FactoryTalk Historian Classic
• FactoryTalk Historian Site Edition (SE)
• FactoryTalk Information Server
• FactoryTalk Metrics
• FactoryTalk Transaction Manager
• FactoryTalk VantagePoint
• FactoryTalk View Machine Edition (ME)
• FactoryTalk View Site Edition (SE)
• FactoryTalk ViewPoint
• RSLinx Classic
• RSLogix 500
• RSLogix 5000
• RSLogix Emulate 5000
• SoftLogix 5800
• Studio 5000 Architect
• Studio 5000 Logix Designer
• Studio 5000 Logix Emulate
• Studio 5000 View Designer
In one issue, a cross-site scripting (“XSS”) vulnerability was found in certain versions of Wibu-Systems CodeMeter that may allow local attackers to inject arbitrary web script or HTML via a specific field in a configuration file, allowing an attacker to access sensitive information, or even rewrite the content of the HTML page.
CVE-2017-13754 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 2.7.
In addition, a custom string copying function of the license server manager in FlexNet Publisher does not use proper bounds checking on incoming data, allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow.
CVE-2015-8277 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The products see use in the chemical, critical manufacturing, food and agriculture, and water and wastewater systems sectors. They also see action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Rockwell Automation recommends users with affected versions of CodeMeter and/or FlexNet Publisher that were installed with FactoryTalk Activation Manager to update Factory Talk Activation Manager to v4.02. If unable to update FactoryTalk Activation Manager to v4.02, update CodeMeter to a compatible version of CodeMeter that is compatible with FactoryTalk Activation Manager.
Rockwell Automation also encourages users to combine the updates above with these general security guidelines to employ multiple strategies simultaneously:
• Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port 2222/TCP and UDP and Port 44818/TCP and UDP, using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270. (Login required)
• Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices
For more information about these vulnerabilities and the recommended mitigations, click on Rockwell Automation Knowledgebase Advisory 1073133. (Login required)