Weak password encryption used in Rockwell HMI software

Softpedia has reported that the encryption algorithms for protecting user credentials in HMI software from Rockwell Automation are outdated and therefore sufficiently weak to be decrypted.

The product affected by the vulnerability is RSView32. According to Rockwell Automation, it is employed in multiple sectors worldwide, including manufacturing, energy, water and wastewater systems.

RSView32 stores user-defined credentials in a file that is protected via encryption. However, the standards used in the process have not been updated and present a security risk to an attacker that gains local access on the system.

An advisory from the US ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) warns that successful exploitation of this weakness leads to revealing the protected information.

“This exploit requires an attacker gaining local access to the specific file storing passwords local to the RSView32 product. This involves local or remote access, reverse-engineering, and some form of successful social-engineering,” the advisory says.

Because it is not remotely exploitable and user interaction is required for an attack to reach its goal, the vulnerability, tracked as CVE-2015-1010, is considered to have medium severity. A CVSS score has been calculated to 6.0 out of 10.

Rockwell Automation developed a patch to address the problem that affects RSView32 7.60.00 (CPR9 SR4) and all earlier versions. To get it, customers have to log into the Rockwell Automation account.