Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Rockwell Patches Code Execution Flaw in RSLogix Product

Rockwell Automation has released patches for some of its RSLogix products to address a vulnerability that can be leveraged to execute arbitrary code on a targeted system. Fortunately, the security hole is not easy to exploit.

Rockwell Automation has released patches for some of its RSLogix products to address a vulnerability that can be leveraged to execute arbitrary code on a targeted system. Fortunately, the security hole is not easy to exploit.

RSLogix, a programming package for Rockwell products, is used around the world in the food and agriculture, critical manufacturing, water and chemical sectors.

All versions of RSLogix Micro Starter Lite and Micro Developer, and RSLogix 500 Starter Edition, Standard Edition and Professional Edition are plagued by a buffer overflow vulnerability (CVE-2016-5814) caused by the way the product handles project files with an RSS extension.

An attacker can exploit the vulnerability if they can trick a local user into opening a specially crafted RSS file with an affected version of RSLogix. If the attack is successful, the malicious code is executed with the privileges of the victim.

In addition to applying the patches that address this flaw, Rockwell has advised customers to avoid running software with administrator privileges, avoid opening untrusted files, and limit network exposure for critical systems.

ICS Cyber Security ConferenceThe vulnerability was reported to Rockwell Automation by researcher Ariele Caltabiano, aka kimiya, via the Zero Day Initiative (ZDI) and ICS-CERT. The advisory submitted to ZDI has yet to be made public – the organization gives vendors 120 days to patch a flaw before its details are disclosed, but only 108 days have passed in this case.

While ICS-CERT has classified this vulnerability as high severity, with a CVSSv3 score of 8.6, ZDI rated it only medium severity, with a CVSSv3 score of 6.8. Swiss-based security firm SCIP estimates on its VulDB website that an exploit for this vulnerability is worth between $2,000 and $5,000.

Another vulnerability reported via ZDI and detailed by ICS-CERT in a recent advisory is a privilege escalation issue found by researcher Andrea Micalizzi in ABB’s data analysis software DataManagerPro.

The flaw, tracked as CVE-2016-4526, allows an authenticated attacker to elevate their privileges to administrator by swapping DLLs in the package directory. The bug has been addressed by ABB with the release of DataManagerPro 1.7.1.

Advertisement. Scroll to continue reading.

“The specific flaw exists within the file permissions set during product installation. The World account is set to have full rights to the directory that contains the binaries that are executed by system administrators. File substitution would then allow a standard user on the system to replace code that is subsequently run by a system administrator,” ZDI explained in an advisory.

Related: Learn More at the ICS Cyber Security Conference

Related: Flaws in Rockwell PLCs Expose Operational Networks

Related: Flaw Allows Attackers to Modify Firmware on Rockwell PLCs

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.