Loading

PN852 | RSLinx Classic File Input Buffer Overflow in OpcTest.exe

Severity:
Medium
Advisory ID:
PN852
发布日期:
April 20, 2015
上次更新时间:
April 20, 2015
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
否
Corrected:
否
Workaround:
否
摘要
RSLinx Classic File Input Buffer Overflow in OpcTest.exe

Introduction

RSLinx Classic File Input Buffer Overflow in OpcTest.exe

Description

April 20, 2015 - version 1.0

A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in a non-critical software component distributed with certain versions of the RSLinx Classic product. The included executable, OpcTest.exe, is a test client for RSLinx’s support of the OPC-DA protocol. The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the test client to open an untrusted, specifically modified CSV file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as OpcTest.exe. At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and a new software release has been issued for RSLinx Classic that includes a new version of OPCTest.exe to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name Version
RSLinx Classic All versions prior to, not including 3.73.00

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

OpcTest.exe has a capability to import a comma-separated values (CSV) file, containing lists of tags and groups, so that the software user can easily subscribe to these items from the RSLinx Classic software. The discovered vulnerability is within the OpcTest.exe code that parses this CSV content. In certain cases where a uniquely crafted or altered file is used, the OpcTest.exe parser code execution can encounter a buffer overflow, which has potential to modify the stack and allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace CSV files with specifically created or modified CSV files that have been constructed to use this buffer overflow condition to successfully execute malicious code.

Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CUSTOMER RISK MITIGATION AND REMEDIATION

Customers using affected versions of the RSLinx Classic are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

  1. Do not open untrusted CSV files with OPCtest.exe
  2. Upgrade affected products as follows:

    Software Catalog Number Affected Software Recommendation
    RSLinx Classic 9355-WABSNENE; 9355-WABOEMENE; 9355-WABGWENE All software versions prior to 3.72.00.01 >>>

    Upgrade to 3.73.00 or higher (available now)

    Choose "RSLinx Classic (9355-WABx)" -- http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?keyword=9355-WAB

  3. Limit access to those assets with RSLinx Classic and other software to authorized personnel.
  4. Run all software as User, not as an Administrator.
  5. Restrict network access to assets with RSLinx Classic and other software as appropriate.
  6. Use trusted software and software patches that are obtained only from highly reputable sources.
  7. Interact with, and only obtain software and software patches from trustworthy websites.
  8. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
  9. Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
  10. Maintain layered physical and logical security, defense in depth design practices for the ICS.
  11. Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 {0} 隐私政策
CloseClose