CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

DoS Vulnerabilities Found in Rockwell’s FactoryTalk Linx and RSLinx Classic Products

Researchers have discovered vulnerabilities that expose Rockwell Automation’s FactoryTalk Linx and RSLinx Classic products to denial-of-service (DoS) attacks.

Researchers have discovered vulnerabilities that expose Rockwell Automation’s FactoryTalk Linx and RSLinx Classic products to denial-of-service (DoS) attacks.

According to an advisory published by Rockwell late last month, researchers from cybersecurity firm Tenable discovered a total of four DoS vulnerabilities, three affecting FactoryTalk Linx and one impacting the FactoryTalk Services Platform.

FactoryTalk Linx, formerly RSLinx Enterprise, is a widely used product designed for connecting Allen Bradley PLCs to Rockwell applications, including for programming, data acquisition and HMI interaction.

Two of the security holes affecting FactoryTalk Linx are caused by an unhandled exception in a DLL file and they can allow a remote, unauthenticated attacker to cause a DoS condition by sending specially crafted packets that result in the termination of the RSLinxNG.exe process. These issues have been rated high severity and they are tracked as CVE-2020-5801 and CVE-2020-5802.

The other vulnerability affecting FactoryTalk Linx is a buffer overflow in a DLL file and it can also result in a DoS condition by sending malicious packets that cause the RSLinxNG.exe process to terminate. However, while exploitation does not require authentication, it does require local access, according to Rockwell’s advisory, which Tenable has confirmed for SecurityWeek that is accurate.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The flaw affecting the FactoryTalk Services Platform can be exploited for DoS attacks by convincing the targeted user to open a specially crafted log file.

“When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software,” the vendor explained (account required).

Advertisement. Scroll to continue reading.

Rockwell Automation has not released patches for these vulnerabilities. It has, however, shared some risk mitigation recommendations, including network, software, social engineering and general mitigation strategies.

“A denial of service in the RSLinx component would not impact the operation of the PLC in most cases; however, it would prevent an Administrator from applying new configurations and changes to the PLC as well as lose visibility in the PLC’s operation,” David Wells, staff research engineer at Tenable, told SecurityWeek.

Cisco Talos this week revealed that one of its researchers discovered a high-severity flaw that can allow an attacker to cause a DoS condition in Rockwell’s RSLinx Classic, a widely used communication server for industrial automation products. The issue, tracked as CVE-2020-13573, is related to the product’s Ethernet/IP server functionality and it can be exploited by sending specially crafted network requests.

Rockwell Automation told Talos that the issue was resolved in November, but it appears that the vendor has not released a security advisory. Talos has published an advisory explaining how the vulnerability can be exploited.

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.