Australia's Leading Computer Emergency Response Team

ASB-2013.0052 - [Win] Rockwell Automation Factorytalk & RSLinx Enterprise: Denial of service - Remote/unauthenticated
Date: 11 April 2013
Original URL: http://www.auscert.org.au/render.html?cid=10415&it=17364

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0052
        ICSA-13-095-02 - Rockwell Automation Factorytalk and RSlinx
                        - Multiple vulnerabilities
                               11 April 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Rockwell Automation Factorytalk & RSLinx Enterprise
Operating System:     Windows
Impact/Access:        Denial of Service -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-4714 CVE-2012-4713 CVE-2012-4695
Member content until: Saturday, May 11 2013

OVERVIEW

        Multiple vulnerabilities have been identified in Rockwell's Automation 
        Factorytalk. [1]
        
        A vulnerability has been identified in Rockwell's RSLinx Enterprise [1]
        Software.


IMPACT

        ICS-CERT have stated the following:
        
        "The FactoryTalk Services Platform (RNADiagnostics.dll) does not 
        validate input correctly and cannot allocate a negative integer. By
        sending a negative integer input to the service over Port 4445/UDP, an
        attacker could cause a DoS condition that prevents subsequent 
        processing of connections. An attacker could possibly cause the 
        RNADiagnostics.dll or RNADiagReceiver.exe service to terminate.
        
        CVE-2012-4713 has been assigned to this vulnerability. A CVSS v2 base
        score of 7.8 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:N/I:N/A:C)." [1]
        
        "The FactoryTalk Services Platform (RNADiagnostics.dll) does not handle
        input correctly and cannot allocate an over-sized integer. By sending
        an over-sized integer input to the service over Port 4445/UDP, an 
        attacker could cause a DoS condition that prevents subsequent 
        processing of connections. An attacker could possibly cause the service 
        to terminate.
        
        CVE-2012-4714 has been assigned to this vulnerability. A CVSS v2 base 
        score of 7.8 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:N/I:N/A:C)." [1]
        
        "The RSLinx Enterprise Software (LogReceiver.exe and Logger.dll) does 
        not handle input correctly and results in a logic error if it receives 
        a zero byte datagram. If an attacker sends a datagram of zero byte size
        to the receiver over Port 4444/UDP (user-configurable, not enabled
        by default), the attacker would cause a DoS condition where the 
        service silently ignores further incoming requests.
        
        CVE-2012-4695 has been assigned to this vulnerability. A CVSS v2 base 
        score of 7.8 has been assigned; the CVSS vector string is 
        (AV:N/AC:L/Au:N/C:N/I:N/A:C)." [1]


MITIGATION

        The vendor has released patches to correct these vulnerabilities which
        are available from:
        https://rockwellautomation.custhelp.com/app/answers/detail/a_id/537599


REFERENCES

        [1] ICSA-13-095-02 ROCKWELL AUTOMATION FACTORYTALK AND RSLINX MULTIPLE
            VULNERABILITIES
            http://ics-cert.us-cert.gov/pdf/ICSA-13-095-02.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUWZUT+4yVqjM2NGpAQK4zQ/9Gd9pM29/tIy8mCE+jar8HeCnRZNOXKNX
mX26iqCMB40MgHm6YNMakZLvD4zKnZYyLGHbjpr0S3X9P3Iu92SrtIDZgn9O4I5Z
ET1KDzkEMteSFesMtLp+ofZs7gh2m+xwa4gceBEVuFMTUO7ZWnVjokxM+VjxPnHf
h794uuuMnMHnbPTZlmOENCZojY8HnRt/k2gjga5o33r3tuv25sCiOwNSb6MsieD6
CH6cRfdRHn44eW6b+vFfwla2z48d6a0BQc7RrsmnBnJaKNinwjPhB9XalLsCJMvu
C1QF0LAePHQSuKkF+aMcu50vYN2FVCVYbiDB34EVQYJmgQEBBHeuMR0OS2b6BO6j
yaLN0Y0fDoLenGg5yblhY4OznuM1cNq/y3g24Iw6Qs7xa4lC8PTjyT2qx+C6Gech
zKgIa1LdBgwVlUtF5lbsc6HUXknaWPFjC6Z/FHbBPCQCbED3Xq6qexcTC88m2mdU
/+0VRUow8yAFqNmY7EVS8BSjxDktTVL3lFM/jTS6Aw68koPhwDqQxzphgg5RGpSz
wb7L420hq4t2Ge6hWB2ttNc8uC5t7u0meSTEzTZftUfSSCo/LRFKY3TM38ek1ez4
04HaT7UwybInytVx+Av2t4E3JYiBQgKUzC+RrNOP2hBgYJgZg0N4DLYhpX+mBts4
R9GhXFTRCkY=
=2pNJ
-----END PGP SIGNATURE-----