Rockwell Automation FactoryTalk RNADiagReceiver
Low RiskICS-CERT ICSA-12-088-01ADec 30, 2012
Summary
RSLogix 5000 and the FactoryTalk suite (including FT View SE, FT Diagnostics, FT Alarms & Events, FT Live Data, FT Server Health, and FT Directory) contain a memory buffer overread vulnerability in the RNADiagReceiver component. An attacker who can reach the diagnostic receiver service over the network can send a malformed packet that causes the service to read beyond allocated memory boundaries, leading to information disclosure or denial of service by crashing the FactoryTalk service.
What this means
What could happen
A memory buffer overread in FactoryTalk RNADiagReceiver could allow a local attacker with network access to the diagnostic communications port to crash the FactoryTalk service or read sensitive system memory, disrupting engineering workstations and blocking access to control system monitoring and configuration tools.
Who's at risk
Engineering teams and OT managers using Rockwell Automation FactoryTalk suite for control system configuration, diagnostics, and monitoring. This affects all FactoryTalk-dependent systems including RSLogix 5000 programming, FT View SE HMI development, and real-time alarms and live data monitoring across manufacturing, water treatment, and power distribution facilities.
How it could be exploited
An attacker on the network sends a malformed network packet to the RNADiagReceiver service (typically listening on local diagnostic ports). The service fails to properly validate the packet structure before reading from a buffer, causing it to read beyond allocated memory boundaries. This can result in an information disclosure or denial of service when the service crashes.
Prerequisites
- Network access to the FactoryTalk diagnostic receiver service port
- Local or network visibility to the engineering workstation or server running FactoryTalk
- FactoryTalk service must be running
remotely exploitablememory safety vulnerability (buffer overread)affects engineering workstationsno patch availableno vendor fix planned
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (8)
8 EOL
ProductAffected VersionsFix Status
RSLogix 5000: 17|18|19|2017|18|19|20No fix (EOL)
FT Directory: vers:all/*All versionsNo fix (EOL)
FT Alarms & Events: vers:all/*All versionsNo fix (EOL)
FT View SE: vers:all/*All versionsNo fix (EOL)
FT Diagnostics: vers:all/*All versionsNo fix (EOL)
FT Live Data: vers:all/*All versionsNo fix (EOL)
FT Server Health: vers:all/*All versionsNo fix (EOL)
Factory Talk: >=CPR9|<=CPR9_SR5≥ CPR9|≤ CPR9 SR5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict network access to FactoryTalk diagnostic ports using firewall rules; limit connections to trusted engineering workstations and servers only
WORKAROUNDDisable the RNADiagReceiver service if diagnostic features are not required
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: RSLogix 5000: 17|18|19|20, FT Directory: vers:all/*, FT Alarms & Events: vers:all/*, FT View SE: vers:all/*, FT Diagnostics: vers:all/*, FT Live Data: vers:all/*, FT Server Health: vers:all/*, Factory Talk: >=CPR9|<=CPR9_SR5. Apply the following compensating controls:
HARDENINGIsolate FactoryTalk engineering workstations and servers on a separate engineering network segment with strict access controls
HARDENINGMonitor FactoryTalk diagnostic ports for unexpected connection attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5129f638-3036-4c56-badb-dd65626eedc5