Rockwell RSLogix 5000 Password Vulnerability

Low RiskICS-CERT ICSA-14-021-01Oct 24, 2014

Summary

RSLogix 5000 software stores passwords in project files using weak protection mechanisms, allowing passwords to be extracted from project files or memory if an attacker gains access to engineering workstations or project storage. This vulnerability affects RSLogix 5000 versions 7 through 21.0.

What this means

What could happen

An attacker with access to RSLogix 5000 project files or memory could extract passwords due to weak storage practices, potentially exposing credentials needed to modify control logic or access engineering workstations.

Who's at risk

Engineering teams and system integrators who use RSLogix 5000 to program and maintain Rockwell Automation CompactLogix, ControlLogix, and other Allen-Bradley programmable logic controllers (PLCs) are affected. Any organization running RSLogix 5000 V7 through V21.0 is at risk if project files are not adequately protected.

How it could be exploited

An attacker would need to gain access to RSLogix 5000 project files (which may be stored on shared drives or engineering workstations) or obtain a memory dump of the running software. Once obtained, passwords stored in the project file or memory can be extracted due to inadequate protection mechanisms, allowing the attacker to use those credentials to access the ICS environment.

Prerequisites

Access to RSLogix 5000 project files (.ACD format) on the engineering network or workstations
Local access to an engineering workstation running RSLogix 5000, or access to shared network storage where projects are stored

No patch availableDefault password storage practicesAffects engineering workstations and project repositoriesCredential exposure could lead to unauthorized control logic modifications

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

RSLogix 5000 software: >=V7|<=V20.01≥ V7|≤ V20.01No fix (EOL)

RSLogix 5000 software: V21.0V21.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict access to RSLogix 5000 project files and engineering workstations—store projects on network shares with strong access controls and limit who can read project files

HARDENINGUse strong, unique passwords in RSLogix 5000 projects and rotate them regularly; do not reuse credentials from the project files for other systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGAudit existing RSLogix 5000 projects and credentials; consider regenerating any passwords exposed in older project files

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: RSLogix 5000 software: >=V7|<=V20.01, RSLogix 5000 software: V21.0. Apply the following compensating controls:

HARDENINGSegment the engineering network from the corporate network to limit attacker access to project files if corporate systems are compromised

CVEs (1)

CVE-2014-0755

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aeedb24b-8e1e-45fc-b161-bcefd4620992