Some good news on Quickdraw SCADA IDS and vendor vulnerability handling with Rockwell Automation’s response to the denial-of-service vulnerability on RSLogix and FactoryTalk identified by Luigi Auriemma. Rockwell and NitroSecurity developed IDS signatures that detect this attack and have graciously allowed them to be part of our Quickdraw project. They are placed in Version 1.4 of the Vulnerability Rules and are available with free registration to digitalbond.com.
Before getting to the IDS rules, consider how far this vendor has come in the past three years in vulnerability handling.
- They issued an advisory on their site the same day as Luigi’s announcement.
- More interesting is their updated advisory on Sept 30th. Rockwell Automation does not try to hedge on the significance and discusses the denial of service and denial of view. The advisory also provides context on what the vuln is not:
“no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.”
It is unclear if they are relying on the fact that Luigi and others haven’t found it yet or if they have done their own investigation on this. Could improve a bit on this.
- They released a security patch for FactoryTalk.
- They announced a security patch for RSLogix will be available on October 14th. Other vendors need to follow this example and provide customers with information on when a fix will be available. Going back to Siemens, we still have no idea when any of the outstanding Beresford vulns will be address … 1 month, 3 months, next year, never?
- The advisory includes firewall configuration information
- And finally they have released IDS signatures to detect attacks trying to exploit this vulnerability.