Remote exploitation of security vulnerabilities possible in Rockwell, Advantech equipment

Rockwell Automation and Advantech have detected major security vulnerabilities in equipment deployed in the critical infrastructure sectors, which can lead to remote exploitation by cyber attackers using low skill levels.

Exploitation of a security vulnerability through use of password hash without much computational effort has been detected in Rockwell’s FactoryTalk Services versions 6.10.00 and 6.11.00, according to an advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), after Rockwell reported the vulnerability to the agency.

Assigned a CVSS v3 base score of 10.0, the loophole could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console. These new users could allow an attacker to modify or delete configuration and application data in other FactoryTalk software connected to the FactoryTalk Services Platform, CISA said. The issue lies with the implementation of the SHA-256 hashing algorithm with the FactoryTalk Services Platform, which prevents the user password from being hashed properly.

Last week, Rockwell also detected an improper handling of length parameter inconsistency vulnerability in its Allen-Bradley MicroLogix 1100 Programmable Logic Controller (PLC) revision number 1.0, which is typically deployed in the critical manufacturing sector. The Cisco Talos team reported this vulnerability to the industrial automation company.

The vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100 PLC. It could allow unauthenticated remote exploitation by a cyber attacker, who can send malformed packets and cause the controller to enter 8H Hard Fault, which could lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.

Three critical security vulnerabilities were also identified in Rockwell’s FactoryTalk Linx, and exploitation of these weaknesses can allow a denial-of-service condition, remote code execution or leak of information that could be used to bypass address space layout randomization (ASLR) within the industrial control systems (ICS).

Five critical vulnerabilities were also detected in Advantech’s Spectre RT Industrial Routers, involving improper neutralization of input during web page generation, cleartext transmission of sensitive information, improper restriction of excessive authentication attempts, use of a broken or risky cryptographic algorithm, and use of platform-dependent third-party components. Ilya Karpov and Evgeniy Druzhinin of Rostelecom-Solar and Vlad Komarov of ScadaX reported these vulnerabilities to CISA.

Remote exploitation of the vulnerabilities using low skills is possible, and this can affect any Advantech industrial cellular routers within the firmware. The company has advised its users to update to version 6.2.7 or later. Most of the vulnerabilities were already fixed in the firmware version 6.1.10 that was released in July 2019, it added,

Advantech’s BB-ESWGP506-2SFP-T industrial PoE (power over Ethernet) switches, used in multiple critical infrastructure sectors, were also detected to have a vulnerability, for which the CVSS v3 calculated a base score of 9.8. The vulnerability uses hard-coded credentials, which could allow an attacker to gain unauthorized access to sensitive information and permit the execution of arbitrary code. An anonymous researcher working with Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

As Advantech no longer sells or maintains BB-ESWGP506-2SFP-T equipment, the Taipei, Taiwan-based manufacturer considers it to be an end-of-life product, and recommends that aff

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.