Today the DHS ICS-CERT published an advisory for a DLL hijack vulnerability in Rockwell Automation’s FactoryTalk View Studio product. The vulnerability was reported by Ivan Sanchez of NullCode & Evilcode Team. Rockwell has produced a patch that mitigates the vulnerability but there is no indication that Sanchez was provided an opportunity to verify the efficacy of the patch.
ICS-CERT reports that a social engineering attack would be necessary to exploit this vulnerability.
Apparently ICS-CERT is changing the way they describe the remote exploit possibility of vulnerability. Instead of saying that the vulnerability is ‘not remotely exploitable’ as we have seen in some DLL related advisories in the recent past, they now say: “These vulnerabilities are not exploitable remotely without user interaction.” This seems to me to be a concise and accurate description of the situation.
Note: It looks like this may be the advisory that I reported as being posted on the US-CERT Secure portal recently. The advisory notes that it was posted to the portal on March 3rd.