FYI - Rockwell Software

padees

Member
Join Date
Aug 2011
Location
Michigan
Posts
869
I know people may not get notices...

[FONT=&quot]Dear Rockwell Automation Software User:[/FONT]
[FONT=&quot]Rockwell Automation is releasing an update to its notice titled [/FONT][FONT=&quot]"FactoryTalk Activation Unquoted Service Path Privilege Escalation[/FONT][FONT=&quot]".[/FONT][FONT=&quot] [FONT=&quot]You are receiving this notification based on software activation and download records as of the release date of this updated notice.[/FONT][/FONT]
[FONT=&quot]Please click on this link to review Knowledgebase Article ID 1030685 - https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1030685. The full text of the Knowledgebase Article is also provided below for your convenience.[/FONT]
[FONT=&quot]Version 1.2 - August 24, 2017[/FONT][FONT=&quot]
[FONT=&quot]Version 1.1 - March 21, 2017[/FONT]
[FONT=&quot]Version 1.0 - February 16, 2017[/FONT][/FONT]

[FONT=&quot]Update: March 21, 2017[/FONT][FONT=&quot]
[FONT=&quot]A complete list of the software products that distribute versions of FactoryTalk® Activation Manager has been identified and listed under the affected products below. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet.[/FONT][/FONT]
[FONT=&quot]In those instances where customers using one of the listed software products are unable to update to the latest version of FactoryTalk Activation, please refer to the KnowledgeBase Article ID 939382 to verify and patch any unquoted service paths in a specific system.[/FONT]
[FONT=&quot]An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Certain versions of FactoryTalk® Activation Manager are susceptible to this vulnerability. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet. This vulnerability can be exploited to link to, or run, a malicious executable of the attacker's choosing.[/FONT]
[FONT=&quot]Rockwell Automation has provided a software update containing the remediation for this vulnerability. Rockwell Automation has also provided a series of steps to allow customers to mitigate this vulnerability in previously downloaded versions. Further details about this vulnerability, as well as recommended countermeasures, are contained below.[/FONT]
[FONT=&quot]AFFECTED PRODUCTS[/FONT]
[FONT=&quot]FactoryTalk Activation Service v4.00.02 and earlier[/FONT]
[FONT=&quot]Update: March 21, 2017[/FONT][FONT=&quot]
[FONT=&quot]The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. All versions prior to v4.00.02 of the FactoryTalk Activation Service are affected. In other words, customers who recognize products from the following list are using FactoryTalk Activation Manager, and they may consult the Risk Mitigation section of this advisory for information on how to verify that their systems are affected and how to manually address this vulnerability.[/FONT][/FONT]

  • [FONT=&quot]Arena®[/FONT]
  • [FONT=&quot]Emonitor®[/FONT]
  • [FONT=&quot]FactoryTalk® AssetCentre[/FONT]
  • [FONT=&quot]FactoryTalk® Batch[/FONT]
  • [FONT=&quot]FactoryTalk® EnergyMetrix™[/FONT]
  • [FONT=&quot]FactoryTalk® eProcedure®[/FONT]
  • [FONT=&quot]FactoryTalk® Gateway[/FONT]
  • [FONT=&quot]FactoryTalk® Historian Site Edition (SE)[/FONT]
  • [FONT=&quot]FactoryTalk® Historian Classic[/FONT]
  • [FONT=&quot]FactoryTalk® Information Server[/FONT]
  • [FONT=&quot]FactoryTalk® Metrics[/FONT]
  • [FONT=&quot]FactoryTalk® Transaction Manager[/FONT]
  • [FONT=&quot]FactoryTalk® VantagePoint®[/FONT]
  • [FONT=&quot]FactoryTalk® View Machine Edition (ME)[/FONT]
  • [FONT=&quot]FactoryTalk® View Site Edition (SE)[/FONT]
  • [FONT=&quot]FactoryTalk® ViewPoint[/FONT]
  • [FONT=&quot]RSFieldBus™[/FONT]
  • [FONT=&quot]RSLinx® Classic[/FONT]
  • [FONT=&quot]RSLogix 500®[/FONT]
  • [FONT=&quot]RSLogix 5000®[/FONT]
  • [FONT=&quot]RSLogix™ 5[/FONT]
  • [FONT=&quot]RSLogix™ Emulate 5000[/FONT]
  • [FONT=&quot]RSNetWorx™[/FONT]
  • [FONT=&quot]RSView®32[/FONT]
  • [FONT=&quot]SoftLogix™ 5800[/FONT]
  • [FONT=&quot]Studio 5000 Architect®[/FONT]
  • [FONT=&quot]Studio 5000 Logix Designer®[/FONT]
  • [FONT=&quot]Studio 5000 View Designer®[/FONT]
  • [FONT=&quot]Studio 5000® Logix Emulate™[/FONT]
[FONT=&quot]
[/FONT]
[FONT=&quot]
[/FONT]
 
Rest of it:


[FONT=&quot]VULNERABILITY DETAILS[/FONT]
[FONT=&quot]Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged, local user to execute arbitrary code with elevated privileges on the system. A well-defined service path enables Windows to easily find the path to a service; this is accomplished by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and an attacker could drop a malicious executable if the service path is discovered.[/FONT]
[FONT=&quot]This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path. When the Windows Service Manager starts the service, it will attempt to launch the implanted executable rather than the intended and authentic executable.[/FONT]
[FONT=&quot]A CVSS v3 base score of 8.8 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H[/FONT]
[FONT=&quot]RISK MITIGATIONS[/FONT]
[FONT=&quot]Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.[/FONT]
[FONT=&quot]Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation. To download v4.01 or later, go to this link for the Product Compatibility and Download Center (PCDC) and select "Select Files" icon for all Free Downloads. Select latest FactoryTalk Activation from the list of downloads.[/FONT]
[FONT=&quot]Update: August 24, 2017[/FONT][FONT=&quot]
Customers can consult with the Product Compatibility and Download Center Standard Views --> Software Latest Versions --> FactoryTalk Activation for compatibility details concerning the latest FactoryTalk Activation Manager.[/FONT]
[FONT=&quot]Note[/FONT][FONT=&quot]: When centralizing FactoryTalk Activation Manager (FTAM) to a single server host, it is important to ensure that the centralized Activation server is running a version of FactoryTalk Activation Manager equal to, or greater than, the latest version of client FTAM on your network. It is important to update the central activation servers before client activation servers. For details visit Knowledgebase Article ID 612825 Managing Remote FactoryTalk Activation Manager Servers.[/FONT]
[FONT=&quot]If unable to upgrade to the latest version visit KnowledgeBase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and walks through the process of doing such edits.[/FONT]
[FONT=&quot]Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.[/FONT]

  • [FONT=&quot]Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.[/FONT]
  • [FONT=&quot]Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.[/FONT]
  • [FONT=&quot]Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.[/FONT]
  • [FONT=&quot]Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.[/FONT]
  • [FONT=&quot]Locate control system networks and devices behind firewalls, and isolate them from the business network.[/FONT]
  • [FONT=&quot]When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.[/FONT]
  • [FONT=&quot]Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.[/FONT]
[FONT=&quot]Refer to http://www.rockwellautomation.com/r...ologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.[/FONT]
[FONT=&quot]Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.[/FONT]
[FONT=&quot]We also recommend concerned customers continue to monitor this advisory, the Rockwell Automation Security Advisory Index at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/54102 and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.[/FONT]
[FONT=&quot]Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.[/FONT]
[FONT=&quot]If you have questions regarding this notice, please send an email to our product security inbox at: [email protected].[/FONT]
[FONT=&quot]ADDITIONAL LINKS[/FONT]
[FONT=&quot]Security Advisory Index, Knowledgebase Article ID 54102[/FONT][FONT=&quot]
[FONT=&quot]Product Security Vulnerability FAQ[/FONT][/FONT]
[FONT=&quot]If you did not have a Knowledgebase account previously registered to this email address, a free account has been created for you. Please use your Rockwell Automation Member account information that you use to download firmware from the Rockwell Automation Product Compatibility and Download Center (PCDC) to access your Knowledgebase account. If you have any difficulties logging into your Knowledgebase account, please send an email to our Knowledgebase support center at [email protected]. Include a complete screenshot of your browser window that shows the error, the address (URL), and the status bar at the bottom of the browser window.[/FONT]
[FONT=&quot]Thank you for your time,[/FONT]
[FONT=&quot]
[/FONT]
 
Last edited:
I got that today too. Still trying to figure out what the problem is through all the Politically Correct softening and a$$ covering.

Geez just tell us what you screwed up and let us fix it!
 
From this bit:

Certain versions of FactoryTalk® Activation Manager are susceptible to this vulnerability. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet. This vulnerability can be exploited to link to, or run, a malicious executable of the attacker's choosing.

The problem is that the listed software can be pointed to an executable file and run it (possibly with administrator privileges). Someone could then, perhaps try to use the activation mechanism (that I don't know if it can be called from a command line or something like that) to run malicious code in the computers where the software is installed.
 
I got that today too. Still trying to figure out what the problem is through all the Politically Correct softening and a$$ covering.

Geez just tell us what you screwed up and let us fix it!

Never a truer statement made....
 
Thanks for posting
o.png
 

Similar Topics

Had an issue trying to talk on a DH+ network with RSLinx Enterprise and Classic fighting over my PCMK card. The error message leads to KB article...
Replies
0
Views
1,707
I'm using raspberry pi 4b to poll 3 different plcs with modbus tcp and then publish the tag data using mqtt sparkplug b back to my Ignition...
Replies
15
Views
3,420
This is the second time I ran into this. Really stumped me the first time and I had to flash a process back to V19. Only found this KB article...
Replies
2
Views
1,983
Anyone near Chicago and going? if you go let me know how it is... I would like to go this year sometime but I need to make sure its worth the...
Replies
3
Views
1,797
http://www.ebay.com/itm/281703877644?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649 Mini version studio and rslogix 5000 ver's 13 to 21...
Replies
0
Views
1,862
Back
Top Bottom