Executive Summary
In November 2020, a denial-of-service (DoS) vulnerability, identified as CVE-2020-13573, was discovered in Rockwell Automation's RSLinx Classic software, version 2.57.00.14 CPR 9 SR 3. This vulnerability resides in the Ethernet/IP server functionality and can be exploited by remote attackers sending specially crafted network requests, leading to a DoS condition. The vulnerability was reported by Cisco Talos and has a CVSS v3.0 base score of 7.5, indicating high severity. (talosintelligence.com)
The relevance of this vulnerability persists due to the widespread deployment of RSLinx Classic in industrial control systems. Exploitation could disrupt critical manufacturing, energy, and water sectors, emphasizing the need for timely patching and adherence to cybersecurity best practices to mitigate potential threats.
Why This Matters Now
The CVE-2020-13573 vulnerability in Rockwell Automation's RSLinx Classic software poses a significant risk to industrial control systems, potentially leading to operational disruptions in critical infrastructure sectors. Immediate attention is required to apply available patches and implement recommended security measures to prevent exploitation.
Attack Path Analysis
An attacker exploits a denial-of-service vulnerability in Rockwell Automation RSLinx Classic by sending specially crafted network requests, causing the application to become unresponsive. This disruption prevents administrators from applying new configurations or monitoring the PLC's operation, leading to potential operational downtime.
Kill Chain Progression
Initial Compromise
Description
An attacker sends specially crafted network requests to the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic, exploiting a denial-of-service vulnerability.
Related CVEs
CVE-2020-13573
CVSS 7.5A denial-of-service vulnerability in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic 2.57.00.14 CPR 9 SR 3 allows an attacker to send specially crafted network requests, leading to application crashes.
Affected Products:
Rockwell Automation RSLinx Classic – 2.57.00.14 CPR 9 SR 3
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Process Injection
Endpoint Denial of Service
Valid Accounts
Exploitation for Defense Evasion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
RSLinx Classic vulnerability threatens SCADA systems managing power grids and energy infrastructure, enabling remote code execution and service disruption across critical energy operations.
Utilities
Stack-based buffer overflow in RSLinx Classic exposes water and wastewater treatment facilities to denial of service attacks, compromising essential utility service delivery nationwide.
Food Production
Manufacturing control systems vulnerability allows attackers to disrupt automated food processing operations, potentially causing production shutdowns and food safety compliance violations.
Automotive
Industrial automation systems running vulnerable RSLinx Classic face remote exploitation risks, threatening manufacturing line operations and production continuity in automotive facilities.
Sources
- Rockwell Automation RSLinxhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-167-02Verified
- CVE-2020-13573 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2020-13573Verified
- Rockwell Automation RSLinx Classic Ethernet/IP Denial-of-Service Vulnerabilityhttps://talosintelligence.com/vulnerability_reports/TALOS-2020-1184Verified
- Rockwell Automation Security Advisory PN1061https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1061.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it can limit the attacker's ability to exploit the denial-of-service vulnerability in RSLinx Classic by enforcing strict segmentation and controlling network communications.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the RSLinx Classic application may be constrained by limiting unauthorized network requests to the application.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be constrained by enforcing strict segmentation policies that limit access to sensitive resources.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network may be constrained by controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may be constrained by providing comprehensive visibility and control over network communications.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data may be constrained by enforcing strict egress policies that monitor and control outbound traffic.
The operational impact on the RSLinx Classic application may be constrained by limiting the attacker's ability to disrupt service through enforced segmentation and traffic control.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
- Manufacturing Process Control
Estimated downtime: 2 days
Estimated loss: $50,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block malicious network requests targeting known vulnerabilities.
- • Apply zero trust segmentation to restrict network access to critical systems, limiting exposure to potential attacks.
- • Enhance east-west traffic security to monitor and control internal network communications, preventing unauthorized access.
- • Utilize multicloud visibility and control solutions to gain comprehensive insights into network traffic and detect anomalies.
- • Regularly update and patch software to address known vulnerabilities and reduce the risk of exploitation.
