Rockwell Patches Code Execution Flaw in RSLogix Product

Rockwell Automation has released patches for some of its RSLogix products to address a vulnerability that can be leveraged to execute arbitrary code on a targeted system. Fortunately, the security hole is not easy to exploit.

RSLogix, a programming package for Rockwell products, is used around the world in the food and agriculture, critical manufacturing, water and chemical sectors.

All versions of RSLogix Micro Starter Lite and Micro Developer, and RSLogix 500 Starter Edition, Standard Edition and Professional Edition are plagued by a buffer overflow vulnerability (CVE-2016-5814) caused by the way the product handles project files with an RSS extension.

An attacker can exploit the vulnerability if they can trick a local user into opening a specially crafted RSS file with an affected version of RSLogix. If the attack is successful, the malicious code is executed with the privileges of the victim.

In addition to applying the patches that address this flaw, Rockwell has advised customers to avoid running software with administrator privileges, avoid opening untrusted files, and limit network exposure for critical systems.

The vulnerability was reported to Rockwell Automation by researcher Ariele Caltabiano, aka kimiya, via the Zero Day Initiative (ZDI) and ICS-CERT. The advisory submitted to ZDI has yet to be made public – the organization gives vendors 120 days to patch a flaw before its details are disclosed, but only 108 days have passed in this case.

While ICS-CERT has classified this vulnerability as high severity, with a CVSSv3 score of 8.6, ZDI rated it only medium severity, with a CVSSv3 score of 6.8. Swiss-based security firm SCIP estimates on its VulDB website that an exploit for this vulnerability is worth between $2,000 and $5,000.

Another vulnerability reported via ZDI and detailed by ICS-CERT in a recent advisory is a privilege escalation issue found by researcher Andrea Micalizzi in ABB’s data analysis software DataManagerPro.

The flaw, tracked as CVE-2016-4526, allows an authenticated attacker to elevate their privileges to administrator by swapping DLLs in the package directory. The bug has been addressed by ABB with the release of DataManagerPro 1.7.1.

“The specific flaw exists within the file permissions set during product installation. The World account is set to have full rights to the directory that contains the binaries that are executed by system administrators. File substitution would then allow a standard user on the system to replace code that is subsequently run by a system administrator,” ZDI explained in an advisory.

Related: Learn More at the ICS Cyber Security Conference

Related: Flaws in Rockwell PLCs Expose Operational Networks

Related: Flaw Allows Attackers to Modify Firmware on Rockwell PLCs