A buffer overflow vulnerability exists in the Rockwell Automation RSLinx Classic EDS Hardware Installation Tool (RSHWare.exe). This vulnerability is likely exploitable; however, significant user interaction would be required.
EDS Hardware Installation Tool Version 1.0.5.1 and earlier.
The CVSS impact subscore for this vulnerability, as calculated by ICS-CERT, is high (10) because successfully exploiting this vulnerability would allow an attacker to run arbitrary code on the target machine. However, the exploitability subscore is low (3.2) because of the difficulty of exploiting this vulnerability.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.
RSLinx provides connectivity to plant floor devices for Rockwell software applications. To register a device on the network, product specific information must be supplied via an Electronic Data Sheet (EDS) file. The RSLinx Hardware Installation Tool parses the EDS file containing the hardwareβs specifications.
On February 9, 2010, a security researcher posted a blog entry regarding a buffer overflow vulnerability in an EDS file installation tool, later found to be the Rockwell Automation EDS Hardware Installation Tool (RSHWare.exe). ICS-CERT has verified that the vulnerability exists in RSLinx Classic Version 2.41.00 (RSHWare.exe Version 1.0.4.0).
Overall CVSS Score: 6.2
Shorthand CVSS Scoring Notation: AV:L/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:U/RC:C
This vulnerability is likely exploitable; however, it is not possible without user interaction. An attacker cannot initiate the exploit from a remote machine. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed EDS file.
There are currently no known exploits specifically targeting this vulnerability.
Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to accept the malformed EDS file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.
Rockwell Automation recommends customers take the following steps to mitigate risk associated with this vulnerability:
Rockwell Automation will modify the EDS Hardware Installation Tool to properly handle EDS files and will release the modified version as a patch by May 2010. This modified version will be included in all future releases of RSLinx Classic starting with Version 2.57.
Rockwell Automation has issued a software patch for the EDS Hardware Installation Tool that addresses this buffer overflow vulnerability. When applied, the patch replaces the RSEds.dll file with the modified Version 4.0.1.157. Future releases of RSLinx Classic, starting with Version 2.57, will include this modified version of the RSEds.dll.
Rockwell has also updated Technote 67272 to include instructions for how to obtain and apply the patch.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
The Control System Security Program also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
rockwellautomation.custhelp.com/app/answers/detail/a_id/67272
rockwellautomation.custhelp.com/app/answers/detail/a_id/67272
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Rockwell%20Automation%20RSLinx%20Classic%20EDS%20Vulnerability%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-10-070-01a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-10-070-01a&title=Rockwell%20Automation%20RSLinx%20Classic%20EDS%20Vulnerability%20%28Update%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-10-070-01a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-10-070-01a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Rockwell%20Automation%20RSLinx%20Classic%20EDS%20Vulnerability%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-10-070-01a