Rockwell Automation RSLinx Classic

Act Now10ICS-CERT ICSA-18-263-02Sep 20, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation RSLinx Classic contains buffer overflow vulnerabilities (CWE-121, CWE-122) and a resource exhaustion issue (CWE-400) in versions 4.00.01 and earlier. These vulnerabilities can be exploited remotely without authentication to crash the device or achieve arbitrary code execution. The vulnerabilities are reachable through Port 44818.

What this means

What could happen

An attacker could crash RSLinx Classic or run arbitrary commands on the device, potentially disrupting communication between engineering workstations and Rockwell PLCs/controllers in your facility. This could prevent you from monitoring or controlling production processes.

Who's at risk

Water authorities and utilities running Rockwell Automation RSLinx Classic as the engineering workstation software for PLC/controller communication. Any facility using RSLinx Classic versions 4.00.01 or earlier for Allen-Bradley equipment programming and monitoring is at risk.

How it could be exploited

An attacker with network access to Port 44818 on a device running RSLinx Classic can send specially crafted packets to trigger a buffer overflow. No credentials or user interaction are required. Successful exploitation results in either denial of service (crash) or remote code execution on the RSLinx Classic host.

Prerequisites

Network access to Port 44818 on RSLinx Classic host
No authentication required
No user interaction required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (48.4%)affects control system communicationarbitrary code execution possible

Exploitability

High exploit probability (EPSS 48.4%)

Affected products (1)

ProductAffected VersionsFix Status

RSLinx Classic:≤ 4.00.01No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable Port 44818 on RSLinx Classic if not required for operational use, per KB 1075747 guidance

HARDENINGImplement firewall rules to restrict access to Port 44818 to only authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RSLinx Classic to the patched version referenced in Rockwell Automation knowledge base article KB 1075712

HARDENINGUse a VPN for any remote access to RSLinx Classic, and keep VPN software updated

Mitigations - no patch available

0/1

RSLinx Classic: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace RSLinx Classic on a network segment isolated from the Internet and untrusted business networks

CVEs (3)

CVE-2018-14829 CVE-2018-14821 CVE-2018-14827

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b23cd689-97da-4b9f-96e7-0f9964a70bad