Serious RCE flaw in Rockwell’s RSLinx variant fixed with a patch

• RSLinx Classic is a communication software package meant for managing industrial automation applications and devices. It is available on the Windows platform.
• A buffer overflow vulnerability existing in one of the software could have led to denial-of-service attacks as well as allowed remote code execution (RCE).

Rockwell Automation, one of the top industrial automation companies in the world, patched a major security vulnerability in its popular software package RSLinx Classic. The software helps configure and communicate with industrial automation devices and networks.

Researchers at Tenable had earlier found that RSLinx Classic contained a stack buffer overflow flaw due to a DLL file used by the software. This could have allowed a remote attacker to execute arbitrary code on the automation device.

Worth noting

• According to Tenable, the buffer overflow vulnerability existed in an Engine.dll file where an attacker could specify malicious instances in TCP port 44818.
• The vulnerability designated as CVE-2019-6553 could have led to denial-of-service attacks and subsequently allowed remote code execution (RCE).
• Affected products include RSLinx Classic v4.10.00 and older versions.
• The vulnerability was rated with a CVSS v3 score of 10.0 which indicates how ciritical it was.
• Upon notice, Rockwell Automation has released patches for the affected versions: v3.60, v3.70, v3.80, v3.81, v3.90, v4.00.01, v4.10.

How to protect your devices?

Rockwell Automation, as well as ICS-CERT have released security advisories emphasizing the severity of the flaw. The advisories highlight how the buffer overflow flaw could also be avoided by disabling the target port.

“Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the 'DDE/OPC' dropdown in RSLinx Classic. Select Topic Configuration and then go to the Data Collection tab in the Topic Configuration pop-up. If the 'Unsolicited Messages' checkbox is marked, then Port 44818 is being used in the application,” read the ICS-CERT advisory.

Therefore, RSLinx Classic users are advised to make sure industrial devices are not accessible from the Internet to minimize the risk of being remotely attacked due to the vulnerability.