Rockwell Automation EDS Subsystem

Plan Patch8.2ICS-CERT ICSA-20-140-01May 19, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation EDS (Ethernet Devices Specification) subsystem in RSNetWorx, FactoryTalk Linx, Studio 5000 Logix Designer, and RSLinx Classic software contains buffer overflow and SQL injection vulnerabilities that can be triggered via specially crafted EtherNet/IP or CIP protocol messages. Successful exploitation leads to denial-of-service conditions in the affected software.

What this means

What could happen

An attacker with network access to your engineering workstations or control network could crash Rockwell Automation software or network communication between your PLC/PAC controllers and their clients, causing a loss of monitoring and control capability until the application is restarted.

Who's at risk

Manufacturing facilities using Rockwell Automation software for PLC/PAC programming and monitoring should be concerned. This includes: organizations running RSNetWorx (network configuration tool), FactoryTalk Linx (system integration platform), Studio 5000 Logix Designer (PLC programming), and RSLinx Classic (legacy communications software). Impact is primarily on engineering and operations staff using these tools.

How it could be exploited

An attacker on your manufacturing network (or a compromised device on that network) can send a specially crafted EtherNet/IP or CIP protocol message to the affected Rockwell software running on engineering workstations or HMI servers. This causes the software to crash or become unresponsive, interrupting communication with your controllers. The attack requires only network access to the workstation or server; no credentials or user interaction are needed.

Prerequisites

Network access to the manufacturing zone or engineering workstation running affected Rockwell software
Target software must be running and listening on TCP ports 2222, 7153, or UDP port 44818
Attacker must be able to send EtherNet/IP or CIP protocol packets

Remotely exploitable over networkNo authentication requiredLow attack complexityAffects engineering workstations and control network communicationNo patch available for affected versions

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

RSNetWorx software:≤ 28.00.00No fix (EOL)

FactoryTalk Linx software (Previously called RSLinx Enterprise):6.00 | 6.10 | 6.11No fix (EOL)

Studio 5000 Logix Designer software:≤ 32No fix (EOL)

RSLinx Classic:≤ 4.11.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock or restrict incoming EtherNet/IP and CIP traffic (TCP ports 2222, 7153, UDP port 44818) from outside your manufacturing zone using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply patch from Rockwell Automation knowledgebase article RAid 1125928 per vendor instructions

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: RSNetWorx software:, FactoryTalk Linx software (Previously called RSLinx Enterprise):, Studio 5000 Logix Designer software:, RSLinx Classic:. Apply the following compensating controls:

HARDENINGSegment your engineering workstations and HMI servers behind firewalls, isolated from the business network

HARDENINGIf remote access to engineering workstations is required, route it through a VPN with current security patches

CVEs (2)

CVE-2020-12038 CVE-2020-12034

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7e17d64c-f73e-494c-bb1f-44f19e66e369