Service Disruption Vulnerability in Rockwell Automation's RSLinx Classic Ethernet/IP Server Unveiled
A denial-of-service vulnerability in Rockwell Automation's RSLinx Classic Ethernet/IP server (CVE-2020-13573) can be triggered by sending malicious network packets. The flaw affects version 2.57.00.14 CPR 9 SR 3, leading to service disruption without data compromise. Immediate patching is crucial for affected systems.
Summary
Rockwell Automation's RSLinx Classic Ethernet/IP server has a critical vulnerability (CVE-2020-13573) that can lead to denial-of-service conditions. This flaw exists in version 2.57.00.14 CPR 9 SR 3 and involves sending specially crafted network requests, which can crash the system by accessing unmapped memory areas. The CVSS score is 7.5, indicating a high severity level due to its potential impact on availability.
What Happened
The vulnerability stems from improper handling of user-controlled input sizes in the Ethernet/IP server functionality. Specifically, when a "Register Session" request followed by a "Send Unit Data" message is sent with an Address Item Length smaller than the data that follows, it results in a crash due to dereferencing a pointer pointing to unmapped memory.
Technical Details
The flaw occurs at address 67a4bb51 within the function. The code fails to validate if the user input size is less than or equal to what the application can handle. This oversight allows an attacker to manipulate the Address Item Length (EDX) and cause a crash by accessing memory outside of the allocated range.
// Vulnerability happens here
67a4bb51 lea eax, [edx+eax+0x4]
The crash occurs when attempting to dereference EAX:
67a4bb5b mov ax, word [eax] // Crash happens here
Affected Products and Fixed Versions
- Affected Product: Rockwell Automation RSLinx Classic Ethernet/IP server.
- Vulnerable Version: 2.57.00.14 CPR 9 SR 3.
- Remediation: Update to a version where this vulnerability has been addressed.
Exploitation Status
While the CVE does not specify active exploitation, its high CVSS score and potential impact on critical infrastructure make it a significant concern for defenders. Immediate patching is recommended to mitigate risks.
Detection Opportunities
Organizations can monitor network traffic for patterns consistent with the exploit attempt, such as malformed "Register Session" requests followed by "Send Unit Data" messages with suspicious Address Item Lengths. Implementing intrusion detection systems (IDS) that recognize these specific packet structures could help in early detection and prevention of exploitation attempts.
Why This Matters for Defenders
The availability of critical industrial control systems is paramount, and any disruption can have severe consequences. This vulnerability underscores the importance of timely patch management and network monitoring to protect against service disruptions caused by denial-of-service attacks.
What Remains Unclear
- The extent of active exploitation in the wild remains unconfirmed.
- Specific details about which environments or industries are most at risk are not fully detailed.
Defender Guidance
- Patch Immediately: Upgrade RSLinx Classic Ethernet/IP server to a version where CVE-2020-13573 is resolved.
- Network Monitoring: Implement IDS rules to detect and alert on suspicious network traffic patterns indicative of exploitation attempts.
- Incident Response Plan: Ensure that an incident response plan is in place, specifically addressing potential denial-of-service scenarios.
By following these steps, defenders can significantly reduce the risk posed by this vulnerability and maintain the integrity and availability of their critical systems.
Sources
