Rockwell Automation Integer Overflow Vulnerability
SonicWall Capture Labs Threat Research Team has observed the following threat:
Rockwell Automation's ThinManager is designed for managing thin clients, mobile devices, cameras, and industrial devices. Comprising both client and server components, the client facilitates device configuration while the server handles data transfer and client requests. To maintain data consistency across the system, ThinManager servers synchronize using messages sent via port TCP/2031. These messages, based on a proprietary protocol, are initiated with a Type value, with a notable emphasis on Type 13 messages.
A significant vulnerability, specifically an integer overflow, has been identified in the Rockwell Automation ThinManager ThinServer. The root of this vulnerability is tied to the improper validation of input, particularly when processing Type 13 synchronization messages.
This vulnerability is not merely a theoretical concern. In practical terms, a remote attacker, even without authentication, could harness this flaw. By dispatching a specially crafted request to the targeted server, they could exploit this vulnerability. If successful, the outcome could be severe, leading to a potential denial of service for the affected system.
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2914.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C).
Base score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is none.
• Impact of this vulnerability on data integrity is none.
• Impact of this vulnerability on data availability is high.
Temporal score is 7.7 (E:P/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is official fix.
• The report confidence level of this vulnerability is confirmed.
The vulnerability arises due to the unchecked value in the "Length of data" field. Specifically, this value is added to the current position pointer, which is set at 12 (0xC), without any prior verification.
However, a problem emerges when a value exceeding 2,147,483,635 (0x7FFFFFF3) is inputted for the "Length of data" field. When combined with the current position pointer's value, it leads to an overflow, converting the resultant value into a negative signed 4-byte integer. This altered "calcLength" value, now being negative, would successfully pass the condition that checks if "calcLength" is less than or equal to "remainLength".
This oversight is critical. As the aforementioned condition is met, the memcpy() function is subsequently invoked with an excessively large "Size" parameter. This can potentially trigger an out-of-bounds read error, culminating in the abrupt termination of the server.
Triggering the Problem:
• The target must be running a vulnerable version of the software.
• The attacker must have network access to the vulnerable software.
The process begins when the attacker issues a request to establish a connection with the server. Once the server responds affirmatively to this request, a vulnerability is exposed. It is at this point that the attacker exploits the flaw by dispatching a Type 13 message containing an unusually expansive "Length of data" field. This action triggers the vulnerability, potentially compromising the system.
The following application protocols can be used to deliver an attack that exploits this vulnerability:
• Rockwell Automation ThinManager ThinServer Synchronization Protocol
SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 4020 Rockwell Automation ThinServer Integer Overflow
The risks posed by this vulnerability can be mitigated or eliminated by:
• Applying the vendor-supplied patch to eliminate this vulnerability.
• Filtering traffic based on the signature above.
The vendor has released the following advisory regarding this vulnerability: