Rockwell Automation has released a patch to address a vulnerability in one of the company’s human-machine interface (HMI) products that can be exploited by malicious actors to obtain user-defined passwords.
According to an advisory published by ICS-CERT on Wednesday, the security flaw affects RSView32, an integrated, component-based HMI solution designed for monitoring and controlling automation machines and processes. Researchers of the Russia-based security firm Ural Security System Center (USSC) have been credited for finding and reporting the vulnerability to Rockwell.
The usernames and passwords set by users for RSView32 are stored in a file. The problem is that the encryption algorithms used to protect these credentials are outdated, allowing attackers to gain access to the information by decrypting the file.
ICS-CERT has pointed out that the vulnerability cannot be exploited remotely and without user interaction.
“This exploit requires an attacker gaining local access to the specific file storing passwords local to the RSView32 product. This involves local or remote access, reverse-engineering, and some form of successful social-engineering,” ICS-CERT noted in its advisory.
The vulnerability, for which the CVE-2015-1010 identifier has been assigned, affects RSView32 version 7.60.00 (CPR9 SR4) and prior. Rockwell has released a patch to mitigate the risk associated with the flaw.
In addition to applying the patch, Rockwell advises customers to limit access to the product to authorized personnel, use Microsoft AppLocker or other whitelisting application to mitigate risks, and maintain layered physical and logical security. Security training for employees, downloading patches only from trusted sources, and establishing a staged patch management and product upgrade strategy are also recommended.
Rockwell advises customers to migrate from RSView32 to FactoryTalk View Site Edition (SE), an HMI product which, according to the company, provides unprecedented levels of control and information access.
Users who want to continue to use RSView32 should upgrade the operating system on which the product runs to a compatible version that is as current as possible and still supported by the developer. Since RSView32 is designed for Microsoft Windows environments, this piece of advice likely refers to upgrading from Windows XP, which is no longer supported by Microsoft.