#VU49156 Uncaught Exception in FactoryTalk Linx
Vulnerability identifier: #VU49156
Vulnerability risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-248
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
FactoryTalk Linx
Server applications /
SCADA systems
Vendor: Rockwell Automation
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an uncaught exception when processing OpenNamespace messages. The OpenNamespace message is sent to TCP port 4241 to obtain a session identifier. Subsequent requests require a valid session-id to interact with the service listening on that port. In the OpenNamespace message, the session-id field in the message header should be absent or empty. If a second OpenNamespace request is sent with a valid session-id in it, the CFTLDManager::HandleRequest function in RnaDaSvr.dll loaded in RSLinxNG.exe leads to unhandled exception, resulting in termination of RSLinxNG.exe.
A remote non-authenticated attacker can send a malformed request and crash the RSLinxNG.exe service.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
FactoryTalk Linx: 6.00 - 6.20
External links
http://www.tenable.com/security/research/tra-2020-71
http://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129496/redirect
http://ics-cert.us-cert.gov/advisories/icsa-21-028-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
