OTPulse
FeedAboutContact

Rockwell FactoryTalk Diag Viewer Memory Corruption

Plan Patch8.4ICS-CERT ICSA-11-175-01Mar 27, 2011
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Rockwell Automation FactoryTalk Diag Viewer versions 2.10.x_SPR9_SR2 and earlier contain a memory corruption vulnerability that can be triggered by local code execution. The vulnerability exists in the Diag Viewer diagnostic and communication tool used to configure and troubleshoot Rockwell automation devices.

What this means
What could happen
An attacker with local access to a workstation running FactoryTalk Diag Viewer could corrupt memory and execute arbitrary code with the same privileges as the application, potentially allowing modification of device configurations or diagnostic data in your automation environment.
Who's at risk
Manufacturing and process facilities using Rockwell Automation's FactoryTalk Diag Viewer for diagnostics and configuration of PLCs, PACs, and industrial control devices. This affects engineering workstations used by automation technicians and system integrators.
How it could be exploited
An attacker must first gain local code execution on a workstation where FactoryTalk Diag Viewer is running (e.g., through malware or a compromised application). They then trigger the memory corruption condition within Diag Viewer to achieve additional code execution or elevation of privilege within that application context.
Prerequisites
  • Local code execution on the workstation running FactoryTalk Diag Viewer
  • FactoryTalk Diag Viewer version 2.10.x_SPR9_SR2 or earlier must be installed
no patch availablelocal exploitation only (lower immediate risk than remote)memory corruption can lead to code execution
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Diag Viewer: <=2.10.x_SPR9_SR2≤ 2.10.x SPR9 SR2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDImplement application whitelisting to prevent unauthorized programs from running on engineering workstations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for signs of unauthorized code execution or memory corruption events on FactoryTalk Diag Viewer workstations
Mitigations - no patch available
0/2
FactoryTalk Diag Viewer: <=2.10.x_SPR9_SR2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate engineering workstations running FactoryTalk Diag Viewer on a segmented network with restricted outbound access
HARDENINGRestrict local user access and administrative privileges on workstations running FactoryTalk Diag Viewer to minimize the risk of local code execution
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6c72a856-a19e-4d1f-ac93-57b07f7829f2
Rockwell FactoryTalk Diag Viewer Memory Corruption | CVSS 8.4 - OTPulse