Rockwell Automation RSLinx (CVE-2020-13573)

What Happened

A vulnerability was discovered in Rockwell Automation's RSLinx Classic software, which is widely used in critical infrastructure sectors. If exploited, this flaw could allow an attacker to crash the software or potentially run malicious code remotely. This matters because a crash could disrupt industrial control systems and critical operations. Organizations using this software should upgrade to version 4.60.00 or later, or apply the recommended security patch.

Key Takeaways

• Rockwell Automation RSLinx Classic versions 4.50.00 and prior are vulnerable to CVE-2020-13573.
• The vulnerability involves an out-of-bounds read and stack-based buffer overflow.
• Successful exploitation can lead to a denial of service (DoS) or potential remote code execution.
• Users should upgrade to version 4.60.00 or later, or apply patch BF31213.
• No known public exploitation has been reported at this time.

Affected Systems

• Rockwell Automation RSLinx Classic versions 4.50.00 and prior

Vulnerabilities (CVEs)

• CVE-2020-13573

Attack Chain

An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted network packets to the affected RSLinx Classic application. This triggers an out-of-bounds read or stack-based buffer overflow within the software. Upon successful exploitation, the application becomes unresponsive, resulting in a denial of service, or potentially allows the attacker to execute arbitrary code on the target system.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Medium — EDR deployed on the Windows hosts running RSLinx Classic may detect post-exploitation activity if remote code execution is achieved, or log the application crash, but will likely not inspect the specific malformed network packets. Network Visibility: Medium — Network intrusion detection systems (IDS) could potentially detect the exploit if signatures for CVE-2020-13573 are available and deployed. Detection Difficulty: Moderate — Detecting the exploit attempt requires specific network signatures, while detecting the result relies on monitoring for unexpected application crashes.

Required Log Sources

• Application Crash Logs
• Windows Event Logs
• Network IDS/IPS Logs

Hunting Hypotheses

Control Gaps

• Lack of network segmentation for ICS devices
• Missing security patches on engineering workstations

Key Behavioral Indicators

• RSLinx service crash events (e.g., Windows Event ID 1000 for Application Error)

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider upgrading RSLinx Classic to version 4.60.00 or later, or applying patch BF31213 if upgrading is not immediately feasible.

Infrastructure Hardening

• Evaluate whether control system devices can be isolated behind firewalls and separated from business networks.
• Consider minimizing network exposure for all control system devices, ensuring they are not accessible from the internet.
• If remote access is required, consider using secure methods such as updated Virtual Private Networks (VPNs).

User Protection

• Ensure endpoint security controls are active and updated on engineering workstations running RSLinx.

Security Awareness

• Consider training operators to recognize and report unexpected ICS application crashes or anomalies.

MITRE ATT&CK Mapping

• T1498 - Network Denial of Service
• T1210 - Exploitation of Remote Services
• T1190 - Exploit Public-Facing Application