OTPulse
FeedAboutContact

Rockwell Automation RSLinx Classic

Plan Patch8.8ICS-CERT ICSA-20-100-01Apr 9, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

RSLinx Classic versions 3.60 to 4.11.00 contain an improper file permissions vulnerability (CWE-732) that allows a local authenticated attacker to execute malicious code when opening the application. The vulnerability requires local system access and valid user credentials.

What this means
What could happen
A user with local access to a workstation running RSLinx Classic could execute arbitrary code with the privileges of the application, potentially allowing modification or disruption of connected programmable logic controllers (PLCs) and control systems.
Who's at risk
Engineering and operations staff using RSLinx Classic on Windows workstations to program and monitor Rockwell Automation PLCs and industrial control systems. This affects any organization using RSLinx Classic versions 3.60 through 4.11.00 for Allen-Bradley programmable controller management.
How it could be exploited
An attacker with local access to a workstation and valid credentials could exploit improper file permissions to place malicious code that executes when an authorized user opens RSLinx Classic. This allows the attacker to run commands on the user's workstation with the same privileges as RSLinx, potentially gaining access to connected industrial devices.
Prerequisites
  • Local access to the workstation running RSLinx Classic
  • Valid user credentials to log in to the workstation
  • RSLinx Classic version 3.60 through 4.11.00 installed
requires local accessrequires valid credentialsimproper file permissions allows privilege escalationaffects workstations that control critical industrial devices
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
RSLinx:≤ 4.11.00patch 1091155 (versions 3.60-4.11.00) or latest version
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply Rockwell Automation patch 1091155 to RSLinx Classic versions 3.60 to 4.11.00
HOTFIXUpgrade to the most recent version of RSLinx Classic available from Rockwell Automation
Long-term hardening
0/3
HARDENINGRestrict physical and local network access to workstations running RSLinx Classic to authorized engineering and operations personnel only
HARDENINGIsolate RSLinx Classic workstations and control system networks from the business network using firewalls and network segmentation
HARDENINGImplement access controls to prevent unauthorized users from logging in to workstations running RSLinx Classic
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f65c442b-710c-4e79-a59a-c602efc7e787