Rockwell Automation RSLinx Classic
Act Now10ICS-CERT ICSA-19-064-01Mar 5, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A stack-based buffer overflow vulnerability in RSLinx Classic (CWE-121) allows remote code execution via network-accessible services. Rockwell Automation has released patches for versions 3.60, 3.70, 3.80, 3.81, 3.90, 4.00.01, and 4.10. Version 4.10.00 and later have the vulnerable UDP port (44818) disabled by default.
What this means
What could happen
An attacker on the network could execute arbitrary code on any RSLinx Classic gateway, potentially allowing them to manipulate PLC communications, alter data being exchanged with control systems, or disrupt plant operations by intercepting or modifying automation commands.
Who's at risk
Manufacturing facilities and utilities using Rockwell Automation RSLinx Classic as a gateway for PLC and industrial device communications. This affects any organization running versions 4.10.00 or earlier that have enabled UDP messaging (disabled by default in 4.10 and later). Risk is highest for older RSLinx Classic installations (v3.x–v4.00) in production environments that rely on the gateway for real-time control.
How it could be exploited
An attacker sends a specially crafted network packet to UDP port 44818 on a host running RSLinx Classic with the port enabled. The overflow in the message handler allows the attacker to overwrite the stack and inject malicious code that executes with the privileges of the RSLinx Classic process.
Prerequisites
- Network access to UDP port 44818 on the RSLinx Classic host
- RSLinx Classic versions <= 4.10.00 with 'Accept UDP Messages on Ethernet Port' enabled
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh EPSS score (17.3%)affects industrial control system gateway function
Exploitability
High exploit probability (EPSS 17.3%)
Affected products (1)
ProductAffected VersionsFix Status
RSLinx Classic:≤ 4.10.00See KB Article 1084828 for patched versions (v3.60, v3.70, v3.80, v3.81, v3.90, v4.00.01, v4.10)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDisable UDP port 44818 in RSLinx Classic by unchecking 'Accept UDP Messages on Ethernet Port' in Options > General tab, unless unsolicited messages are actively required for your automation workflows
HARDENINGRestrict network access to UDP port 44818 using firewall rules to only trusted engineering workstations and control systems that require RSLinx Classic gateway services
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXApply Rockwell Automation patch from KB Article 1084828 for your version of RSLinx Classic (available for v3.60, v3.70, v3.80, v3.81, v3.90, v4.00.01, v4.10)
HARDENINGReview DDE/OPC Topic Configuration to verify whether 'Unsolicited Messages' are actually in use; disable the feature if not needed
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/79276a2e-38ef-4667-95c7-b662dc249b20