Full Report
A serious vulnerability has been identified in Rockwell Automation solutions for industrial networks RSLinx Classic and FactoryTalk Linx Gateway
Analysis Summary
Based on the historical data regarding the vulnerability referenced (specifically related to the Rockwell Automation advisory from 2018), here is the summarized technical profile.
# Vulnerability: Stack-based Buffer Overflow in Rockwell Automation RSLinx Classic
## CVE Details
- **CVE ID:** CVE-2018-10835
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow)
## Affected Systems
- **Products:**
- RSLinx Classic
- FactoryTalk Linx Gateway (formerly RSLinx Enterprise Gateway)
- **Versions:**
- RSLinx Classic versions 4.00.01 and prior
- FactoryTalk Linx Gateway versions 5.92.00 and prior
- **Configurations:** Systems where the software is acting as a communication server over Port 2222 (EtherNet/IP).
## Vulnerability Description
The vulnerability is a stack-based buffer overflow flaw within the processing of EtherNet/IP packets. An attacker can send a specially crafted malicious packet to the target device via Port 2222/TCP. Because the application fails to properly validate the length of the input before copying it to a fixed-length stack buffer, the memory can be overwritten. This allows for arbitrary code execution with the privileges of the service (typically SYSTEM).
## Exploitation
- **Status:** PoC available / Publicly documented
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Full access to system data)
- **Integrity:** Total (Ability to modify system files and logic)
- **Availability:** Total (Potential for system crash or permanent takeover)
## Remediation
### Patches
- **RSLinx Classic:** Upgrade to version 4.10.00 or later.
- **FactoryTalk Linx Gateway:** Upgrade to FactoryTalk Linx v6.00.00 or later.
### Workarounds
- **Port Filtering:** Block or restrict access to Port 2222/TCP and Port 44818/TCP at the network perimeter.
- **Access Control:** Utilize IPSec to encrypt and authenticate traffic between trusted nodes only.
- **Principle of Least Privilege:** Run the software under a restricted user account if possible (though difficult for these specific industrial services).
## Detection
- **Indicators of Compromise:** Unusual traffic spikes on Port 2222; unexpected crashes of the `RSLinx.exe` or `Harmony.exe` processes.
- **Detection methods and tools:**
- Use Intrusion Detection Systems (IDS) with signatures for EtherNet/IP buffer overflow attempts.
- Monitor Windows Event Logs for Service Control Manager errors related to RSLinx service restarts.
## References
- **Vendor Advisory:** hxxps[://]rockwellautomation[.]custhelp[.]com/app/answers/detail/a_id/1075673
- **ICS-CERT Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-144-01
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/06/09/serious-vulnerability-in-rslinx-classic-and-factorytalk-linx-gateway/