Rockwell Automation FactoryTalk and RSLinx Vulnerabilities

Low RiskICS-CERT ICSA-13-095-02AJan 7, 2013

Summary

Multiple buffer overflow (CWE-125) and integer overflow (CWE-190) vulnerabilities, along with improper exception/error handling (CWE-703), exist in Rockwell Automation FactoryTalk Services Platform and RSLinx Enterprise versions CPR9 through CPR9-SR6. These vulnerabilities could allow remote exploitation via specially crafted network packets without requiring valid credentials. The affected versions are no longer supported by the vendor.

What this means

What could happen

Attackers could exploit buffer overflows and integer overflow vulnerabilities in FactoryTalk and RSLinx to cause application crashes or potentially execute arbitrary code on engineering workstations and servers managing industrial processes.

Who's at risk

Manufacturing facilities, process plants, and utilities that use Rockwell Automation's FactoryTalk Services Platform or RSLinx Enterprise for industrial automation engineering and control. This affects engineers and operators who depend on these platforms for system configuration, monitoring, and maintenance of PLCs and automation equipment.

How it could be exploited

An attacker with network access to a system running FactoryTalk Services Platform or RSLinx Enterprise could send specially crafted requests that trigger buffer overflow (CWE-125) or integer overflow (CWE-190) conditions in the application. Exploitation could lead to denial of service or code execution depending on the specific vulnerability and system configuration.

Prerequisites

Network access to FactoryTalk Services Platform or RSLinx Enterprise ports
Vulnerable version CPR9 through CPR9-SR6 must be running
No authentication appears to be required based on CWE-703 (improper check/handling)

No patch available (end-of-life or unsupported versions)Buffer overflow and integer overflow vulnerabilitiesAffects engineering workstations and servers managing critical processesLow EPSS score but underlying conditions favor exploitation

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (8)

8 pending

ProductAffected VersionsFix Status

FactoryTalk Services Platform and RSLinx Enterprise: CPR9CPR9No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR1CPR9-SR1No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR2CPR9-SR2No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR3CPR9-SR3No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR4CPR9-SR4No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR5CPR9-SR5No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR5.1CPR9-SR5.1No fix yet

FactoryTalk Services Platform and RSLinx Enterprise: CPR9-SR6CPR9-SR6No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict access to FactoryTalk and RSLinx systems to only authorized engineering workstations and control network segments

WORKAROUNDDeploy firewall rules to block unauthorized connections to FactoryTalk Services Platform and RSLinx Enterprise ports from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor FactoryTalk and RSLinx systems for unexpected connections or suspicious process behavior

Long-term hardening

0/1

HARDENINGIsolate or air-gap FactoryTalk engineering workstations from general corporate networks where feasible

CVEs (7)

CVE-2012-4695 CVE-2012-4713 CVE-2012-4714 CVE-2012-4715 CVE-2013-2805 CVE-2013-2806 CVE-2013-2807

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2dc6b04e-bea5-45c8-a0c4-3f864e437bbc