Outdated encryption algorithms used to protect credentials

May 28, 2015 14:34 GMT  ·  By

The encryption algorithms for protecting user credentials in the human machine interface (HMI) software product from Rockwell Automation are outdated and, therefore, sufficiently weak to be decrypted.

HMI products provide a graphical user interface to the operator of an industrial control system (ICS), used in production environments in critical industries.

Vulnerability is not remotely exploitable

The product affected by the vulnerability is RSView32. According to Rockwell Automation, it is employed in multiple sectors worldwide, including Critical Manufacturing, Energy, Water and Wastewater Systems.

RSView32 stores user-defined credentials in a file that is protected via encryption. However, the standards used in the process have not been updated and present a security risk to an attacker that gains local access on the system.

An advisory from the US ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) warns that successful exploitation of this weakness leads to revealing the protected information.

“This exploit requires an attacker gaining local access to the specific file storing passwords local to the RSView32 product. This involves local or remote access, reverse-engineering, and some form of successful social-engineering,” the advisory says.

Because it is not remotely exploitable and user interaction is required for an attack to reach its goal, the vulnerability, tracked as CVE-2015-1010, is considered to have medium severity. A CVSS (Common Vulnerability Scoring System) score has been calculated to 6.0 out of 10.

Developer releases patch, recommends extra precautions

Credited for the discovery of the issue are Vladimir Dashchenko and Dmitry Dementjev, security analysts at the Ural Security System Center (USSC).

Rockwell Automation developed a patch to address the problem that affects RSView32 7.60.00 (CPR9 SR4) and all earlier versions. To get it, customers have to log into the Rockwell Automation account.

Apart from this, clients can also enable extra precautions such as limiting access to machines running the HMI software. This includes both systems and users, unless properly validated.