Rockwell Automation RSLogix 500 and RSLogix Micro File Parser Buffer Overflow Vulnerability (Update A)

Plan Patch8.6ICS-CERT ICSA-16-224-02AMay 15, 2016

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A buffer overflow exists in the RSLogix 500 and RSLogix Micro file parsers when handling specially crafted project files. If an engineer opens a malicious file, arbitrary code execution on the engineering workstation is possible. Affected versions include all RSLogix 500 editions (Starter, Standard, Professional) and RSLogix Micro variants up to version 10.00.00.

What this means

What could happen

An attacker who tricks an engineer into opening a specially crafted project file in RSLogix 500 or RSLogix Micro can run arbitrary code on the engineering workstation with the same privileges as the engineer, potentially compromising all connected PLCs and control logic across your facility.

Who's at risk

This affects engineering teams and technicians who use Rockwell Automation RSLogix 500 or RSLogix Micro to design and test PLC logic. Any facility that maintains or modifies Allen-Bradley PLC programs using these tools is at risk if files are not validated before opening.

How it could be exploited

An attacker creates a malicious RSLogix project file (.rsx or similar) containing a buffer overflow in the file parser, sends it to an engineer via email or file share, and when the engineer opens it in RSLogix, the overflow triggers and executes attacker code. This affects the engineering workstation where logic is designed and downloaded to control systems.

Prerequisites

Engineer or technician must open a malicious RSLogix project file on their workstation
User interaction required - no automatic exploitation
RSLogix 500 or RSLogix Micro application must be installed on the workstation

No patch availableUser interaction required to triggerAffects engineering workstations (gatekeepers to PLC control logic)Buffer overflow vulnerability could allow full code execution

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

RSLogix Micro Developer: <=10.00.00≤ 10.00.00No fix (EOL)

RSLogix 500 Starter Edition: <=10.00.00≤ 10.00.00No fix (EOL)

RSLogix 500 Standard Edition: <=10.00.00≤ 10.00.00No fix (EOL)

RSLogix 500 Professional Edition: <=10.00.00≤ 10.00.00No fix (EOL)

RSLogix Micro Starter Lite: <=10.00.00≤ 10.00.00No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement email and file-sharing controls to restrict receipt of .rsx and other RSLogix project files from external sources

HARDENINGTrain engineering staff to not open RSLogix project files from untrusted sources or unexpected senders

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor engineering workstations for unauthorized code execution or unexpected process spawning from RSLogix applications

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: RSLogix Micro Developer: <=10.00.00, RSLogix 500 Starter Edition: <=10.00.00, RSLogix 500 Standard Edition: <=10.00.00, RSLogix 500 Professional Edition: <=10.00.00, RSLogix Micro Starter Lite: <=10.00.00. Apply the following compensating controls:

HARDENINGRestrict RSLogix application usage to isolated or air-gapped engineering workstations not connected to operational networks

HARDENINGRun RSLogix 500 and RSLogix Micro on dedicated engineering workstations with restricted user accounts and minimal network connectivity

CVEs (1)

CVE-2016-5814

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/70c2fcac-a0d7-4dbb-a6a9-496266e974d7