#VU49158 Uncontrolled memory allocation in FactoryTalk Linx
Vulnerability identifier: #VU49158
Vulnerability risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-789
Exploitation vector: Local
Exploit availability: Yes
Vulnerable software:
FactoryTalk Linx
Server applications /
SCADA systems
Vendor: Rockwell Automation
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled memory allocation in RSLinxNG.exe. An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest function in messaging.dll. A local attacker can send a specially crafted LoadIconStream message to 127.0.0.1:7153 to cause the new operator to allocate a large amount of memory. It's been observed that a large allocation size (i.e., 0xffffffff) can cause an unhandled exception in RSLinxNG.exe, which results in process termination of RSLinxNG.exe.
A local user can perform a denial of service attack.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
FactoryTalk Linx: 6.10 - 6.20
External links
http://www.tenable.com/security/research/tra-2020-71
http://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129496/redirect
http://ics-cert.us-cert.gov/advisories/icsa-21-028-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
