CVE-2018-10619

Vulnerability

An unquoted search path or element vulnerability (CWE-428) exists in RSLinx Classic Versions 3.90.01 and prior and FactoryTalk Linx Gateway Versions 3.90.00 and prior [1]. The affected service is dnwhodisp, which is deployed with the software. The service binary path, C:\Program Files (x86)\Rockwell Software\RSLINX\dnwhodisp.exe, contains spaces and is not quoted, allowing Windows to search for the executable in multiple directories [2].

Exploitation

An attacker must be an authorized but non-privileged local user who can write to, or place a malicious executable at, a higher-priority directory in the search path (e.g., C:\Program.exe or C:\Program Files if writeable). No additional authentication or user interaction is needed beyond local access. The attacker inserts a malicious executable in a directory that Windows searches before the intended path; when the service starts or upon system reboot, the malicious payload executes with the elevated privileges of the service [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privilege level of the service, which runs as LocalSystem [2]. This results in full compromise of the workstation, including unauthorized access to sensitive data, modification of system files, and ability to install persistent malware. The privilege escalation can impact confidentiality, integrity, and availability of the affected system [1].

Mitigation

Rockwell Automation recommends updating RSLinx Classic to version 4.00.01 or later, and FactoryTalk Linx Gateway to version 4.00.01 or later, available from their support portal [1]. No workarounds are detailed; however, ensuring that only trusted users have local access and applying principle of least privilege can reduce risk [2]. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) as of publication [1].