CVE-2018-14829

Vulnerability

Rockwell Automation RSLinx Classic versions 4.00.01 and prior contain a stack-based buffer overflow vulnerability (CWE-121) in ENGINE.dll when parsing a connection path from EtherNet/IP packets on port 44818 [1][2]. The software limits the command-specific data block to 4500 bytes but fails to validate CIP-specific length fields such as the extended link address size in the port path segment [1]. An attacker can craft a malicious CIP packet with an overly large port path, causing a stack buffer overflow [1].

Exploitation

An unauthenticated remote attacker with network access to the target device can send a malformed EtherNet/IP packet containing a crafted CIP message to port 44818 [1][2]. No authentication or user interaction is required [2]. The attacker specifies a large value for the extended link address length field in the port path segment of the connection path, which is then copied into a fixed-size stack buffer without proper bounds checking [1].

Impact

Successful exploitation results in a denial of service (application crash) or, under the right conditions, remote code execution [1][2]. If code execution is achieved, the attacker gains arbitrary control of the RSLinx Classic process, potentially compromising the entire workstation and the connected industrial control system [2]. The CVSS v3 score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) [2].

Mitigation

Rockwell Automation has released a patched version 4.00.02 to address this vulnerability [2]. Users should update to the latest version immediately. If patching is not possible, the vendor recommends restricting network access to port 44818 and using firewalls to limit exposure to trusted networks [2]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing [2].