CVE-2018-14827

Vulnerability

Rockwell Automation RSLinx Classic versions 4.00.01 and prior are affected by a stack-based buffer overflow (CVE-2018-14829), a heap-based buffer overflow (CVE-2018-14821), and a resource exhaustion flaw (CVE-2018-14827) [1]. These vulnerabilities exist in the handling of specially crafted Common Industrial Protocol (CIP) and Ethernet/IP packets received on TCP port 44818 [1]. No authentication or user interaction is required to reach the vulnerable code path.

Exploitation

An unauthenticated remote attacker can send a malformed CIP or Ethernet/IP packet to port 44818 of an affected RSLinx Classic instance [1]. The attacker does not need any prior network access or credentials. Exploitation requires only low skill level and can be performed over the network without any user interaction [1].

Impact

Successful exploitation can cause the RSLinx Classic software to terminate or stop responding, requiring the user to manually restart the application to regain functionality [1]. The stack-based buffer overflow (CVE-2018-14829) also has the potential to allow remote arbitrary code execution on the device, leading to full compromise of confidentiality, integrity, and availability (CVSS 10.0) [1]. The heap-based buffer overflow and resource exhaustion flaws primarily result in a denial-of-service condition [1].

Mitigation

Rockwell Automation has not released a patched version as of the advisory publication date (2018-09-20) [1]. Operators of affected RSLinx Classic versions should restrict network access to port 44818 to trusted hosts only, segment the control network, and monitor ICS-CERT advisory ICSA-18-263-02 for updates [1]. The vulnerabilities are not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the reference publication.