CVE-2020-5802: 
FactoryTalk Linx (RSLinx Enterprise) vulnerability analysis and mitigation

An attacker-controlled memory allocation size vulnerability (CVE-2020-5802) was discovered in RnaDaSvr.dll affecting FactoryTalk Linx software. The vulnerability was disclosed in December 2020 and affects FactoryTalk Linx version 6.11 and prior versions. The vulnerability allows an attacker to send specially crafted ConfigureItems messages to TCP port 4241, potentially causing denial-of-service conditions (Tenable Research, CISA Advisory).

The vulnerability occurs when an attacker-controlled memory allocation size is passed to the C++ new operator in RnaDaSvr.dll through a specially crafted ConfigureItems message sent to TCP port 4241. This causes the new operator to allocate a large amount of memory, which can trigger an unhandled exception in RSLinxNG.exe. The vulnerability has been assigned a CVSS v3 base score of 7.5 (High) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Tenable Research).

Successful exploitation of this vulnerability results in a denial-of-service condition through the termination of RSLinxNG.exe process. The attack can be executed remotely without requiring authentication, potentially affecting industrial control systems and manufacturing operations (CISA Advisory).

Rockwell Automation released patches to address this vulnerability. Users are recommended to implement network-based mitigations including: utilizing proper network infrastructure controls such as firewalls, blocking all traffic to EtherNet/IP or other CIP protocol-based devices from outside the manufacturing zone, and restricting access to TCP and UDP Port 2222 and Port 44818. Additionally, it is recommended to run all software with minimal user privileges and implement Microsoft AppLocker or similar allowlist applications (CISA Advisory).