Rockwell FactoryTalk Diag Viewer Memory Corruption
ICSA： ICS Advisory (ICSA-11-175-01)
Independent security researchers Billy Rios and Terry McCorkle have coordinated with ICS-CERT on a memory corruption vulnerability that affects Rockwell’s Automation FactoryTalk Diagnostics Viewer product.
By using a specially crafted FactoryTalk Diagnostics Viewer configuration file, an attacker could possibly cause a memory corruption that allows the execution of arbitrary code.
According to Rockwell Automation, this issue has been resolved in later versions of the FactoryTalk Diagnostics Viewer, starting with V2.30.00 (CPR9 SR3). ICS-CERT has not validated this update.
According to Rockwell Automation, these vulnerabilities affect Versions 2.10.x (SPR9 SR2) and earlier.
A successful exploitation of this vulnerability could result in the execution of arbitrary code.
The exact impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
Rockwell Automation provides industrial automation control and information products worldwide, across a wide range of industries.
The FactoryTalk Diagnostics Viewer is part of the FactoryTalk Services Platform and collects, stores, and provides access to activity, status, warning, and error messages generated by products during installation, configuration, and operation.
The memory corruption vulnerability could allow an attacker to execute arbitrary code using a specially crafted FactoryTalk Diagnostics Viewer configuration file (.ftd extension).
This vulnerability is not remotely exploitable. The exploit can only be triggered when the specially crafted file is executed locally by a vulnerable version of FactoryTalk Diagnostics Viewer.
Existence of Exploit
No known exploits specifically target this vulnerability.
Crafting a working exploit for this vulnerability requires moderate skill. Social engineering is required to convince the user to accept the malformed file, decreasing the likelihood of a successful exploit.
Rockwell Automation recommends that concerned customers upgrade the FactoryTalk Diagnostics Viewer to the latest version. Because FactoryTalk Diagnostics Viewer is not available as a standalone installation, customers must upgrade the FactoryTalk Services Platform product to FactoryTalk Diagnostics Viewer (CPR9 SR3) or greater.
Rockwell Automation also recommends its customers review the Rockwell Automation Software Product Compatibility Matrix to ensure they understand the dependencies and compatibilities that may arise as a result of upgrading this product.
For more information, refer to Rockwell Automation Security Advisory KB#448424.