10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.031 Low
EPSS
Percentile
91.1%
This updated advisory is a follow-up to the original advisory titled ICSA-13-095-02 Rockwell Automation FactoryTalk and RSLinx Vulnerabilities that was published April 5, 2013, on the ICS-CERT Web page.
Researcher Carsten Eiram of Risk Based Security has identified multiple input validation vulnerabilities in Rockwell Automationās FactoryTalk Services Platform (RNADiagnostics.dll) and RSLinx Enterprise Software (LogReceiver.exe and Logger.dll). Rockwell Automation has produced patches that mitigate these vulnerabilities, and released the patches April 5, 2013. Rockwell Automation has tested the patches to validate that they resolve the vulnerabilities.
Carsten Eiram discovered additional vulnerabilities after the patches were released in April, and Rockwell released new patches that mitigate the additional vulnerabilities on June 28, 2013.
These vulnerabilities could be exploited remotely.
The following FactoryTalk Services Platform and RSLinx Enterprise product versions are affected:
Successful exploitation of these vulnerabilities may result in a DoS condition to the services, service termination, and the potential for code injection.
Impact to individual organizations depends on many factors that are unique to each organization. ICSāCERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.
FactoryTalk Services Platform (FTSP) shares data throughout a distributed system and enforces redundancy and fault tolerance while tracking changes in the system.
RSLinx Enterprise is used for design and configuration, which provides plant-floor device connectivity for multiple Rockwell software applications. This software also has open interfaces for third-party human-machine interfaces (HMIs), data collection and analysis packages, as well as custom client-applications.
According to Rockwell Automation, both products are deployed across several sectors including agriculture and food, water, chemical, manufacturing, and others. The Rockwell product Web site states that these products are used in France, Italy, the Netherlands, and other countries in Europe, as well as the United States, Korea, China, Japan, and Latin American countries.
The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the RNADiagnostics.dll or RNADiagReceiver.exe service to terminate.
CVE-2012-4713NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4713 , NIST uses this advisory to create the CVE Web site report. Web site last accessed October 07, 2013. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
The FactoryTalk Services Platform (RNADiagnostics.dll) does not handle input correctly and cannot allocate an over-sized integer. By sending an over-sized integer input to the service over Port 4445/UDP, an attacker could cause a DoS condition that prevents subsequent processing of connections. An attacker could possibly cause the service to terminate.
CVE-2012-4714NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4714 , NIST uses this advisory to create the CVE Web site report. Web site last accessed October 07, 2013. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does not handle input correctly and results in a logic error if it receives a zero or large byte datagram. If an attacker sends a datagram of zero byte size to the receiver over Port 4444/UDP (user-configurable, not enabled by default), the attacker would cause a DoS condition where the service silently ignores further incoming requests.
After discussion with the researcher and vendor, this vulnerability was a duplicate of CVE-2012-4715, and therefore the two vulnerabilities have been combined. CVE-2012-4715 will be retracted from the NVD Web site.
CVE-2012-4695NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4695, NIST uses this advisory to create the CVE Web site report. Web site last accessed October 07, 2013. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it receives a datagram with an incorrect value in the āRecord Data Sizeā field. By sending a datagram to the service over Port 4444/UDP with the āRecord Data Sizeā field modified to an oversized value, an attacker could cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot.
CVE-2013-2805NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2805 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the āTotal Record Sizeā field. By sending a datagram to the service over Port 4444/UDP with the āRecord Data Sizeā field modified to a specifically oversized value, the service will calculate an undersized value for the āTotal Record Sizeā that will cause an out-of-bounds read access violation that leads to a service crash. The service can be recovered with a manual reboot.
CVE-2013-2807NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2807 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
The RSLinx Enterprise Software (LogReceiver.exe) does not handle input correctly and results in a logic error if it calculates an incorrect value for the āEnd of Current Recordā field. By sending a datagram to the service over Port 4444/UDP with the āRecord Data Sizeā field modified to a specifically oversized value, the service will calculate an undersized value for the āTotal Record Size.ā Then the service will calculate an incorrect value for the āEnd of Current Recordā field causing access violations that lead to a service crash. The service can be recovered with a manual reboot.
CVE-2013-2806NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2806 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C, Web site last accessed October 07, 2013.
These vulnerabilities could be exploited remotely.
No known public exploits specifically target these vulnerabilities.
An attacker with a low skill would be able to exploit these vulnerabilities.
Rockwell Automationās recommendation to asset owners using FTSP or RSLinx CPR9 through CPR9-SR4 is to upgrade to CPR9-SR5 or newer. Rockwell Automation also recommends that all asset owners using FTSP or RSLinx CPR9-SR5 and newer should apply the correlating patch for the version they are using.
The patches and details pertaining to these vulnerabilities can be found at the following Rockwell Automation Security Advisory link (login is required):
<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599>
In addition, asset owners can find security information for other Rockwell Automation products at the Security Advisory Index page link below (login is required):
<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102>
ICSāCERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICSāCERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICSāCERT Technical Information Paper, ICS-TIP-12-146-01BāTargeted Cyber Intrusion Mitigation Strategies, which is available for download from the ICS-CERT Web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICSāCERT for tracking and correlation against other incidents.
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
rockwellautomation.custhelp.com/app/answers/detail/a_id/537599
rockwellautomation.custhelp.com/app/answers/detail/a_id/54102
twitter.com/CISAgov
twitter.com/intent/tweet?text=%20Rockwell%20Automation%20FactoryTalk%20and%20RSLinx%20Vulnerabilities%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-13-095-02a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-13-095-02a&title=%20Rockwell%20Automation%20FactoryTalk%20and%20RSLinx%20Vulnerabilities%20%28Update%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-13-095-02a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-13-095-02a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%20Rockwell%20Automation%20FactoryTalk%20and%20RSLinx%20Vulnerabilities%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-13-095-02a
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.031 Low
EPSS
Percentile
91.1%