4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:C/I:N/A:N
0.001 Low
EPSS
Percentile
25.6%
This advisory was originally posted to the US-CERT secure Portal library on May 12, 2015, and is being released to the NCCIC/ICS-CERT web site.
Rockwell Automation has produced a patch to mitigate a password encryption vulnerability in RSView32. Information Security Analysts Vladimir Dashchenko and Dmitry Dementjev of the Ural Security System Center (USSC) reported this vulnerability directly to Rockwell Automation.
The following RSView32 versions are affected:
An attacker who exploits this vulnerability may be able to gain access to user-defined passwords.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Rockwell Automation, which is a US-based company, provides industrial automation control and information products across a wide range of industries.
The affected product, RSView32, is an HMI system used for monitoring and controlling automation machines and processes. According to Rockwell Automation, RSView32 is deployed across several sectors including Critical Manufacturing, Energy, Water and Wastewater Systems, and others. Rockwell Automation estimates that these products are used worldwide.
A vulnerability has been discovered in the encryption approach used by RSView32 to create a password storage file used with the software.
User-defined usernames and passwords for RSView32 are stored within a specific file. The associated weakness in the file is a result of the software using older weak and outdated encryption algorithms compared to contemporary encryption technologies. Use of older algorithms may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can be revealed.
This exploit requires an attacker gaining local access to the specific file storing passwords local to the RSView32 product. This involves local or remote access, reverse-engineering, and some form of successful social-engineering.
CVE-2015-1010NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1010, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 6.0 has been assigned; the CVSS vector string is (AV:L/AC:H/Au:S/C:C/I:C/A:C).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:L/AC:H/Au:S/C:C/I:C/A:C, web site last accessed May 12, 2015.
This vulnerability is not exploitable remotely and cannot be exploited without user interaction. This exploit is only triggered when a local user obtains and decrypts the file containing access credentials.
No known public exploits specifically target this vulnerability.
Crafting a working exploit for this vulnerability would be difficult.
The software patch released by Rockwell Automation for the RSView32 mitigates the risk associated with the discovered password vulnerability. Rockwell Automation encourages asset owners/operators using affected versions of the RSView32 to deploy this patch and take the additional precautions:
The vendor recommends customers consider upgrading their software and compatible operating systems to more contemporary versions wherever possible. It is also advisable that customers adopt measures to keep products current and patched.
For customers who must continue to use RSView32, the vendor strongly recommends that they upgrade the operating system on which the product runs, to a RSView32-compatible version that is as current as possible, and is still in support by the manufacturer.
Other Vendor information links:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (www.ics-cert.org).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following minimum basic measures to protect themselves from social engineering attacks:
www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page
www.rockwellautomation.com/security%20
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
rockwellautomation.custhelp.com/app/answers/detail/a_id/54102
rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
rockwellautomation.custhelp.com/app/answers/detail/a_id/700915
twitter.com/CISAgov
twitter.com/intent/tweet?text=Rockwell%20Automation%20RSView32%20Weak%20Encryption%20Algorithm%20on%20Passwords+https://www.cisa.gov/news-events/ics-advisories/icsa-15-132-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-15-132-02&title=Rockwell%20Automation%20RSView32%20Weak%20Encryption%20Algorithm%20on%20Passwords
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-15-132-02
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-15-132-02
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Rockwell%20Automation%20RSView32%20Weak%20Encryption%20Algorithm%20on%20Passwords&body=www.cisa.gov/news-events/ics-advisories/icsa-15-132-02