Human machine interface software from Rockwell Automation has been patched, protecting users from a vulnerability in the way stored passwords are protected.
The vulnerability was discovered in RSView32, versions 7.60.00 and earlier, according to an alert from the Industrial Control System Cyber Emergency Response Team (ICS-CERT).
“An attacker who exploits this vulnerability may be able to gain access to user-defined passwords,” the ICS-CERT alert said.
RSView32 is an HMI system that monitors the operation of automated processes worldwide in manufacturing and other industrial and critical environments, including energy and water. HMIs provide infrastructure operators with a visualization of the automation environment and allow admins to manage controls from a single screen or screens.
The vulnerability, ICS-CERT said, lies in a weak, outdated encryption algorithm used to protect user-defined usernames in passwords within a particular file.
“Use of older algorithms may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can be revealed,” the advisory said.
Exploiting the vulnerability, however, could prove difficult, ICS-CERT said. An attacker would require local access to the file where passwords are stored for the RSView32.
“This involves local or remote access, reverse-engineering, and some form of successful social engineering,” the advisory said, adding that no public exploits have been discovered. “Crafting a working exploit for this vulnerability would be difficult.”
In addition to applying the patch, Rockwell offers a number of mitigations, including limiting access to RSView32 to authorized personnel, restricting and segmenting network access to assets with RSView32, and the use of a whitelisting application, among other suggestions.