CVE-2020-13573

Vulnerability

A denial-of-service vulnerability (CWE-823: Use of Out-of-range Pointer Offset) exists in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic version 2.57.00.14 CPR 9 SR 3. The flaw occurs when processing a Register Session request followed by a Send Unit Data message where the Address Item Length field is smaller than the data that follows. This causes an out-of-bounds pointer arithmetic in a function at address 0x67a4bb10, leading to a crash. The affected version is commonly used with MicroLogix 1100 Programmable Controllers. [1]

Exploitation

An attacker with network access to the target device can send a sequence of malicious Ethernet/IP packets without prior authentication. The exploitation requires no special privileges or user interaction. By crafting a Register Session request and then a Send Unit Data message with an insufficient Address Item Length, the attacker triggers the vulnerable code path. The specific sequence involves setting the Address Item Length to a value smaller than the data payload, causing the function at 0x67a4bb51 to compute an out-of-range pointer, which leads to an access violation. [1]

Impact

Successful exploitation results in a denial-of-service condition, causing the RSLinx Classic server to crash. This disrupts communication between plant devices and Rockwell software applications, potentially halting production or monitoring systems. The CVSSv3 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity compromise. [1]

Mitigation

Rockwell Automation has not released a fixed version for RSLinx Classic 2.57.00.14 CPR 9 SR 3 as of the publication date of this CVE (2021-01-07). Users are advised to apply network segmentation and access controls to limit exposure to untrusted networks. Rockwell recommends using firewalls and VPNs to restrict access to the Ethernet/IP service. No workaround or patch is detailed in the available references. [1]