DoS Vulnerabilities Found in Rockwell’s FactoryTalk Linx and RSLinx Classic Products

Researchers have discovered vulnerabilities that expose Rockwell Automation’s FactoryTalk Linx and RSLinx Classic products to denial-of-service (DoS) attacks.

According to an advisory published by Rockwell late last month, researchers from cybersecurity firm Tenable discovered a total of four DoS vulnerabilities, three affecting FactoryTalk Linx and one impacting the FactoryTalk Services Platform.

FactoryTalk Linx, formerly RSLinx Enterprise, is a widely used product designed for connecting Allen Bradley PLCs to Rockwell applications, including for programming, data acquisition and HMI interaction.

Two of the security holes affecting FactoryTalk Linx are caused by an unhandled exception in a DLL file and they can allow a remote, unauthenticated attacker to cause a DoS condition by sending specially crafted packets that result in the termination of the RSLinxNG.exe process. These issues have been rated high severity and they are tracked as CVE-2020-5801 and CVE-2020-5802.

The other vulnerability affecting FactoryTalk Linx is a buffer overflow in a DLL file and it can also result in a DoS condition by sending malicious packets that cause the RSLinxNG.exe process to terminate. However, while exploitation does not require authentication, it does require local access, according to Rockwell’s advisory, which Tenable has confirmed for SecurityWeek that is accurate.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The flaw affecting the FactoryTalk Services Platform can be exploited for DoS attacks by convincing the targeted user to open a specially crafted log file.

“When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software,” the vendor explained (account required).

Rockwell Automation has not released patches for these vulnerabilities. It has, however, shared some risk mitigation recommendations, including network, software, social engineering and general mitigation strategies.

“A denial of service in the RSLinx component would not impact the operation of the PLC in most cases; however, it would prevent an Administrator from applying new configurations and changes to the PLC as well as lose visibility in the PLC’s operation,” David Wells, staff research engineer at Tenable, told SecurityWeek.

Cisco Talos this week revealed that one of its researchers discovered a high-severity flaw that can allow an attacker to cause a DoS condition in Rockwell’s RSLinx Classic, a widely used communication server for industrial automation products. The issue, tracked as CVE-2020-13573, is related to the product’s Ethernet/IP server functionality and it can be exploited by sending specially crafted network requests.

Rockwell Automation told Talos that the issue was resolved in November, but it appears that the vendor has not released a security advisory. Talos has published an advisory explaining how the vulnerability can be exploited.

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files