ICS-CERT has received a report from Michael Orlando of CERT Coordination Center (CERT/CC) identifying a vulnerability in Rockwell Automation Electronic Data Sheet (EDS) Hardware Installation Tool. This tool is bundled with RSLinx Classic for normal distribution. The install tool exhibits a buffer overflow vulnerability when parsing improperly formatted EDS files. This vulnerability is likely exploitable and could allow remote code execution, though that would require significant user interaction. Rockwell Automation has released a patch that has been verified by CERT/CC.
EDS Hardware Installation Tool Version 1.3.0.1 and all earlier versions are affected.
An attacker could exploit the vulnerability by tricking a user into opening a specially crafted EDS file, causing the EDS Hardware Installation Tool to crash, which would lead to possible execution of arbitrary code.
ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation. Critical infrastructure organizations are encouraged to use the information contained in this advisory to strengthen network defense and examine their own networks for possible compromise.
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries. RSLinx provides connectivity to plant floor devices for Rockwell software applications. To register a device on the network, product-specific information must be supplied via an EDS file. The RSLinx Hardware Installation Tool parses the EDS file containing the hardwareβs specifications.
An attacker that alters a required EDS file and then uses it in the EDS Hardware Installation Tool could cause the tool to crash, allowing execution of arbitrary code. The subsequent stack-based buffer overflowMitre, http://cwe.mitre.org/data/definitions/121.html, website last visited June 09, 2011 usually results from an excessively recursive function call and is usually outside the scope of a programβs implicit security policy. When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
This vulnerability is likely exploitable; however, it is not possible without user interaction. An attacker cannot initiate the exploit from a remote machine. The exploit is only triggered when a local user runs the vulnerable application and loads the malformed EDS file.
No known exploits specifically target this vulnerability.
Crafting a working exploit for this vulnerability would be difficult. Social engineering is required to convince the user to accept the malformed EDS file. Additional user interaction is needed to load the malformed file. This decreases the likelihood of a successful exploit.
Rockwell Automation recommends concerned customers take the following immediate steps to mitigate risk associated with this vulnerability.
ICS-CERT encourages asset owners to minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Locate control system networks and remote devices behind firewalls and isolate them from the business network. When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
The Control Systems Security Program (CSSP) also provides a section for control system security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
rockwellautomation.custhelp.com/app/answers/detail/a_id/276774
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Rockwell%20RSLinx%20EDS%20Vulnerability+https://www.cisa.gov/news-events/ics-advisories/icsa-11-161-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-11-161-01&title=Rockwell%20RSLinx%20EDS%20Vulnerability
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-11-161-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-11-161-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Rockwell%20RSLinx%20EDS%20Vulnerability&body=www.cisa.gov/news-events/ics-advisories/icsa-11-161-01