In Rockwell Automation RSLinx Classic versions 4.1.00 and prior, an authenticated local attacker could modify a registry key, which could lead to the execution of malicious code using system privileges when opening RSLinx Classic.
ICS Advisory (ICSA-20-100-01)
Rockwell Automation RSLinx Classic
All information products included in https://us-cert.gov/ics are provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://www.us-cert.gov/tlp/.
1. EXECUTIVE SUMMARY
CVSS v3 8.8
ATTENTION: Low skill level to exploit
Vendor: Rockwell Automation
Equipment: RSLinx Classic
Vulnerability: Incorrect Permission Assignment for Critical Resource
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a local authenticated attacker to execute malicious code when opening RSLinx Classic.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of RSLinx Classic PLC communications software are affected:
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.