Rockwell Automation FactoryTalk DLL Hijacking Vulnerabilities
Low RiskICS-CERT ICSA-15-062-02Dec 4, 2015
Summary
FactoryTalk Services Platform and FactoryTalk View Studio are vulnerable to DLL hijacking attacks. An attacker can place a malicious DLL file in a directory where FactoryTalk searches for libraries during startup. When FactoryTalk loads the library, it may load the attacker's malicious DLL instead of the legitimate one, allowing arbitrary code execution with the privileges of the FactoryTalk process. This affects FactoryTalk Services Platform versions below 2.71.00 and FactoryTalk View Studio versions 8.00.00 and below.
What this means
What could happen
An attacker could load malicious DLLs on systems running FactoryTalk, potentially gaining the ability to execute arbitrary code with the privileges of the FactoryTalk application and interfere with industrial operations or data integrity.
Who's at risk
Manufacturing plants and facilities using Rockwell Automation FactoryTalk for HMI (human-machine interface), data collection, or alarm management should be concerned. This includes anyone running FactoryTalk View Studio for engineering workstations or FactoryTalk Services Platform for centralized monitoring and historian functions.
How it could be exploited
An attacker with write access to a directory on the FactoryTalk server or workstation could place a malicious DLL file. When FactoryTalk starts or loads a library, it may load the attacker's malicious DLL instead of the legitimate one, executing arbitrary code.
Prerequisites
- Write access to a directory where FactoryTalk searches for DLL files (typically the application directory or a directory in the DLL search path)
- FactoryTalk application must be running or started after the malicious DLL is placed
No patch availableDLL hijacking can lead to arbitrary code executionAffects common industrial automation HMI software
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
FactoryTalk Services Platform: <2.71.00<2.71.00No fix (EOL)
FactoryTalk View Studio: <=8.00.00≤ 8.00.00No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict write access to FactoryTalk application directories and any directories in the DLL search path to authorized users only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGRun FactoryTalk with the minimum required privileges (non-administrative account if possible)
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: FactoryTalk Services Platform: <2.71.00, FactoryTalk View Studio: <=8.00.00. Apply the following compensating controls:
HARDENINGImplement application whitelisting or code signing verification for DLL files loaded by FactoryTalk
HARDENINGMonitor for unauthorized DLL files in FactoryTalk directories and implement file integrity monitoring
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bd9d01ac-8cfa-4cc1-8ecd-a26a78483105