Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway

Plan Patch8.8ICS-CERT ICSA-18-158-01Jun 7, 2018

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

RSLinx Classic versions 3.90.01 and earlier, and FactoryTalk Linx Gateway versions 3.90.00 and earlier, are vulnerable to local privilege escalation when service installation paths contain spaces. A non-privileged local user can exploit this misconfiguration to execute arbitrary code with administrator privileges, potentially compromising control system integrity and access.

What this means

What could happen

An authorized local user on an engineering workstation running RSLinx Classic or FactoryTalk Linx Gateway could gain administrator privileges and run arbitrary code on that workstation, potentially altering configuration data, process programs, or communications with control devices in the network.

Who's at risk

Engineering teams and system integrators who operate Rockwell Automation RSLinx Classic or FactoryTalk Linx Gateway on Windows workstations. This affects anyone managing Allen-Bradley PLCs, CompactLogix controllers, or other Rockwell devices that rely on these applications for programming, monitoring, and communication.

How it could be exploited

The vulnerability exists in how the software handles service paths containing spaces during installation or execution. A non-privileged local user can exploit this to escalate their privileges and execute code with elevated rights, affecting any connected control systems that communicate through these applications.

Prerequisites

Local user account on the engineering workstation
Service path containing spaces (specific installation configuration)
Non-administrator user privilege

Requires local user accessAffects control system engineering workstationsDefault installation may contain vulnerable service pathsCan lead to administrator privilege escalation

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

RSLinx Classic:≤ 3.90.014.00.01 or later

FactoryTalk Linx Gateway:≤ 3.90.006.00.00 or later

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDIf unable to patch immediately, apply registry edit to fix service paths containing spaces per Knowledge Base Article 939382

HARDENINGRun RSLinx Classic and FactoryTalk Linx Gateway with least-privilege user account (not administrator)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RSLinx Classic to version 4.00.01 or later

HOTFIXUpdate FactoryTalk Linx Gateway to version 6.00.00 or later

HARDENINGImplement Microsoft AppLocker or equivalent application whitelisting to restrict code execution

Long-term hardening

0/2

HARDENINGApply least-privilege access controls to user and service accounts for shared resources like databases

HARDENINGIsolate engineering workstations and control system networks behind firewalls; restrict Internet access

CVEs (1)

CVE-2018-10619

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a86835de-bbdb-4747-a331-a7285690d664