Synopsis
CVE-2020-5801 - RSLinxNG.exe Double OpenNamespace Unauthenticated Remote DoS
The OpenNamespace message is sent to TCP port 4241 to obtain a session id. Subsequent requests require a valid session-id to interact with the service listening on that port. In the OpenNamespace message, the session-id field in the message header should be absent or empty. If a second OpenNamespace request is sent with an valid session-id in it, the CFTLDManager::HandleRequest function in RnaDaSvr.dll loaded in RSLinxNG.exe leads to unhandled exception, resulting in termination of RSLinxNG.exe.
CVE-2020-5802 - RSLinxNG.exe ConfigureItems Unauthenticated Remote DoS
An attacker-controlled memory allocation size can be passed to the C++ new operator in RnaDaSvr.dll by sending a specially crafted ConfigureItems message to TCP prot 4241. This will cause the new operator to allocate a large amount of memory. It's been observed that a large allocation size (i.e., 0xfffffff3) can cause an unhandled exception in RSLinxNG.exe, which results in process termination of RSLinxNG.exe:
CVE-2020-5806 - RSLinxNG.exe LoadIconStream Local DoS
An attacker-controlled memory allocation size can be passed to the C++ new operator in the CServerManager::HandleBrowseLoadIconStreamRequest function in messaging.dll. A local attacker can send a specially crafted LoadIconStream message to 127.0.0.1:7153 to cause the new operator to allocate a large amount of memory. It's been observed that a large allocation size (i.e., 0xffffffff) can cause an unhandled exception in RSLinxNG.exe, which results in process termination of RSLinxNG.exe.
CVE-2020-5807 - FactoryTalk Diagnostics Viewer Unauthenticated Remote DoS
An unauthenticated remote attacker can send data to RsvcHost.exe listening on TCP port 5241 to add entries in the FactoryTalk Diagnostics event log. A local user can use the FactoryTalk Diagnostics Viewer (FTDiagViewer.exe) to view the log. The attacker can specify long fields in the log entry, which can cause an unhandled exception by wcscpy_s() in FTDiagnosticsViewer.dll loaded in FTDiagViewer.exe, resulting in process termination.
Solution
For patch solutions against CVE-2020-5801, CVE-2020-5802, and CVE-2020-5806, you can download Rockwell's patch located here: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129188. Additionally, Rockwell customers can view general mitigation guidelines here https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129496.
Proof of Concept
Additional References
https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129496https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1129188
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team