Tenable Research Advisory: Rockwell Automation RSLinx Classic Lite RCE and DoS Vulnerability Discovered by Tenable

Ryan Seguin

Tenable Research has discovered multiple memory corruption issues in Rockwell Automation RSLinx Classic Lite 4.00.01 that may allow for remote code execution or denial of service. Customers are encouraged to update their software.

What do you need to know? Rockwell Automation RSLinx Classic could allow for memory corruption and remote code execution or denial of service.

What’s the attack vector? Common industrial protocol messages over port 44818 to the RSLINX.exe service.

What’s the business impact? Memory corruption and remote code execution could lead to malicious takeover of an asset.

What’s the solution? Apply the latest update from Rockwell Automation for RSLinx Classic.

Background

While researching methods for remotely identifying Rockwell Automation RSLinx Classic, Tenable Research found multiple memory corruption issues in RSLinx Classic Lite 4.00.01 (CVE-2018-14829 and CVE-2018-14821), which may allow an unauthenticated remote attacker to achieve remote code execution (RCE) or denial of service (DoS).

Analysis

RSLinx Classic Lite (RSLINX.exe) implements EtherNet/IP, which encapsulates common industrial protocol (CIP) messages. Due to RSLINX.exe not checking various CIP length fields against the number of received network data bytes thoroughly, an unauthenticated remote attacker can exploit this via port 44818 to cause memory corruption issues.

Within the buffer overflow caused through this exploit, an attacker can then trigger arbitrary code execution.

Vendor response

Rockwell Automation has released software patches for RSLinx Classic versions V3.60, V3.74, V3.80, V3.81, V3.90 and V4.00.01.

Solution

According to Rockwell Automation’s advisory, customers are strongly encouraged to update their software. They have also recommended customers disable port 44818 in RSLinx Classic if it is not utilized during system operation. Customers should also follow other security best practices like limiting administrator privileges and blocking all traffic to EtherNet/IP or other CIP-based devices from external sources.

Identifying affected systems

Tenable has released the following plugin to detect these vulnerabilities.

Plugin ID

Description

117671

Rockwell Automation RSLinx Classic <= 4.00.01 Multiple Vulnerabilities

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Sep 26, 2018

People also viewed

Customer Success Manager - ANZ

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

Field and Channel Marketing Manager, Nordics and Benelux

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Field & Channel Marketing Marketing
Your Role:Tenable seeks an experienced field and channel marketing manager to generate demand for Tenable products and solutions across our Scandinavia and Benelux territories.  The successful candidate will have demonstrated experience creating, ...

Finance & Investor Relations Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Finance Internships
Your Role:Tenable has a Finance and Investor Relations Intern opportunity for college students entering their senior year or actively enrolled in an MBA program. If you're looking for a chance to apply what you're learning in your degree program, ...

Senior Data Engineer

Dublin Ireland Campshires, Sir John Rogerson's Quay, Dublin, Ireland Research Engineering
Your Role:Data Engineers here are involved in designing, developing and maintaining systems for data analysis, transformation, modelling and visualisation. We work directly with the data scientists to develop cutting edge uses of the data we colle...

Technical Support Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is seeking a high energy, results oriented customer advocate capable of motivating an already exceptional support team to even higher levels of customer satisfaction. Our current global rating is over 93% satisfaction and we expe...

Cloud Security Intern

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security Internships
Your Role: The Cloud Security Intern will help the Tenable secure their use of cloud systems across the company.  The intern will develop, implement and monitor security solutions for cloud that assess risk, keep Tenable data safe and bake in secu...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.