Rockwell RSLogix Overflow Vulnerability
Low RiskICS-CERT ICSA-11-273-03AJul 3, 2011
Summary
RSLogix 5000 software versions 17, 18, and 19 and FactoryTalk software versions CPR9 through CPR9-SR4 contain a buffer overflow vulnerability (CWE-119) that could allow an attacker with access to the software or systems running it to crash the application or potentially execute arbitrary code. The affected products include RSLogix 5000 and all FactoryTalk-branded software within the version ranges specified. No vendor fix is available for any of the affected products.
What this means
What could happen
An attacker with access to affected Rockwell RSLogix or FactoryTalk software could trigger a buffer overflow that could crash the engineering workstation or potentially execute arbitrary code, disrupting engineering changes and commissioning activities.
Who's at risk
This vulnerability affects anyone using Rockwell Automation's RSLogix 5000 engineering software (versions 17, 18, 19) or FactoryTalk-branded software (CPR9 through CPR9-SR4) for programming or configuring industrial control systems in manufacturing, water, wastewater, electric utility, and other critical infrastructure sectors. Engineering workstations and commissioning systems are at risk.
How it could be exploited
An attacker who can interact with the affected software (either through direct access to an engineering workstation or by sending specially crafted input to a system running RSLogix 5000 or FactoryTalk) could trigger a buffer overflow condition via CWE-119, potentially allowing code execution or denial of service on that workstation.
Prerequisites
- Direct access to or network interaction with an engineering workstation running RSLogix 5000 versions 17, 18, or 19, or FactoryTalk software versions CPR9 through CPR9-SR4
- No credentials required to trigger the buffer overflow
no patch availablebuffer overflow - potential for code executionaffects engineering/commissioning workstationslow exploit probability (0.2% EPSS)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
2 pending1 EOL
ProductAffected VersionsFix Status
All FactoryTalk-branded software of specific: CPR9CPR9No fix yet
All FactoryTalk-branded software of specific: >=CPR9-SR1|<=CPR9-SR4≥ CPR9-SR1|≤ CPR9-SR4No fix yet
RSLogix 5000 software: 17|18|1917|18|19No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1HARDENINGIsolate engineering workstations running RSLogix 5000 or affected FactoryTalk software from untrusted networks and restrict access to authorized personnel only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor engineering workstations for unusual activity or crashes that may indicate exploitation attempts
Mitigations - no patch available
0/1RSLogix 5000 software: 17|18|19 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to prevent unauthorized connections to machines running affected Rockwell software
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ee9a0c2d-134f-40ff-9bb0-f702720fa29e