SB2020122808 - Multiple vulnerabilities in Rockwell Automation FactoryTalk Linx

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Uncaught Exception (CVE-ID: CVE-2020-5801)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncaught exception when processing OpenNamespace messages. The OpenNamespace message is sent to TCP port 4241 to obtain a session identifier. Subsequent requests require a valid session-id to interact with the service listening on that port. In the OpenNamespace message, the session-id field in the message header should be absent or empty. If a second OpenNamespace request is sent with a valid session-id in it, the CFTLDManager::HandleRequest function in RnaDaSvr.dll loaded in RSLinxNG.exe leads to unhandled exception, resulting in termination of RSLinxNG.exe.

A remote non-authenticated attacker can send a malformed request and crash the RSLinxNG.exe service.

2) Uncontrolled memory allocation (CVE-ID: CVE-2020-5802)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncontrolled memory allocation in RSLinxNG.exe. An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP prot 4241. This will cause the new operator to allocate a large amount of memory. It's been observed that a large allocation size (i.e., 0xfffffff3) can cause an unhandled exception in RSLinxNG.exe, which results in process termination of RSLinxNG.exe.

A remote non-authenticated attacker can send a malformed request and crash the RSLinxNG.exe service.

3) Uncontrolled memory allocation (CVE-ID: CVE-2020-5806)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to uncontrolled memory allocation in RSLinxNG.exe. An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest function in messaging.dll. A local attacker can send a specially crafted LoadIconStream message to 127.0.0.1:7153 to cause the new operator to allocate a large amount of memory. It's been observed that a large allocation size (i.e., 0xffffffff) can cause an unhandled exception in RSLinxNG.exe, which results in process termination of RSLinxNG.exe.

A local user can perform a denial of service attack.

4) Input validation error (CVE-ID: CVE-2020-5807)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. A local user can use the FactoryTalk Diagnostics Viewer (FTDiagViewer.exe) to view the log. The attacker can specify long fields in the log entry, which can cause an unhandled exception by wcscpy_s() in FTDiagnosticsViewer.dll loaded in FTDiagViewer.exe, resulting in process termination.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://www.tenable.com/security/research/tra-2020-71
• https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129496/redirect
• https://ics-cert.us-cert.gov/advisories/icsa-21-028-01