OTPulse
FeedAboutContact

Reliable Controls LicenseManager

Plan Patch7.8ICS-CERT ICSA-19-337-01Dec 3, 2019
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

RC-LicenseManager versions 3.4 and earlier contain a vulnerability (CWE-428) that allows a local attacker with user-level privileges to crash the system, access sensitive data, or execute arbitrary commands. This vulnerability is not remotely exploitable and requires the attacker to already have login access to the affected machine. Reliable Controls has released version 3.5 bundled with RC-Studio 3.6.3.

What this means
What could happen
An attacker with local access to a system running RC-LicenseManager could crash the application, read sensitive data, or run arbitrary commands with the privileges of the logged-in user, potentially disrupting the engineering workstation or accessing confidential control system configurations.
Who's at risk
Organizations using Reliable Controls RC-LicenseManager for engineering and configuration of RC-Studio control system software should prioritize this update. This affects engineering teams, system integrators, and facility operators who use RC-Studio to manage or configure building automation, HVAC, or industrial control systems.
How it could be exploited
An attacker must first gain local access to the engineering workstation or computer running RC-LicenseManager. Once logged in with user-level privileges, the attacker can exploit this vulnerability to escalate capabilities and execute arbitrary code or access restricted files on that machine.
Prerequisites
  • Local access to the affected workstation
  • User-level or higher credentials on the workstation where RC-LicenseManager is installed
  • RC-LicenseManager version 3.4 or earlier running on the system
Local access required (limits remote attack risk)Low EPSS score (0.1%, low exploitation likelihood)Affects engineering workstations rather than production controllersNo public exploit code available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
RC-LicenseManager:≤ 3.43.5 (bundled in RC Studio 3.6.3)
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict local login access to engineering workstations to authorized personnel only and implement physical security controls to prevent unauthorized access
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade RC-LicenseManager to version 3.5 or later by installing RC-Studio 3.6.3 or newer
HARDENINGApply least privilege principles—ensure RC-Studio and RC-LicenseManager run with the minimum necessary user permissions, not as administrator
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ac26aabc-cb4b-45f5-87f5-1fb5469b000d
Reliable Controls LicenseManager | CVSS 7.8 - OTPulse