CVE-2018-14821

Vulnerability

A heap-based buffer overflow vulnerability exists in Rockwell Automation RSLinx Classic versions 4.00.01 and prior [2]. The flaw resides in the handling of Common Industrial Protocol (CIP) packets received on TCP port 44818. The software limits the command-specific data block to 4500 bytes but fails to validate CIP-specific length fields, such as the extended link address size, against the actual received data [1]. An unauthenticated remote attacker can exploit this by sending a specially crafted CIP packet with an oversized length field, causing a heap buffer overflow and crashing the application.

Exploitation

An attacker can exploit this vulnerability without authentication or user interaction by sending a malformed CIP packet to the target's port 44818 [2]. The packet contains a CIP message with an inflated length for the extended link address in the port path segment [1]. The software copies this oversized data into a heap buffer, resulting in memory corruption.

Impact

Successful exploitation leads to termination of the RSLinx Classic application [2]. The user must manually restart the software to regain functionality. This is a denial-of-service condition with no impact on confidentiality or integrity. The CVSS v3 base score is 7.5, with a vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [2].

Mitigation

Rockwell Automation has released an updated version of RSLinx Classic (version 4.00.02 and later) to address this vulnerability [2]. Users are advised to upgrade to the latest version. No workarounds are provided in the available references.