Rockwell Automation FactoryTalk DLL Hijacking Vulnerabilities

Low RiskICS-CERT ICSA-15-062-02Dec 4, 2015

Rockwell Automation

Summary

FactoryTalk Services Platform and FactoryTalk View Studio are vulnerable to DLL hijacking attacks. An attacker can place a malicious DLL file in a directory where FactoryTalk searches for libraries during startup. When FactoryTalk loads the library, it may load the attacker's malicious DLL instead of the legitimate one, allowing arbitrary code execution with the privileges of the FactoryTalk process. This affects FactoryTalk Services Platform versions below 2.71.00 and FactoryTalk View Studio versions 8.00.00 and below.

What this means

What could happen

An attacker could load malicious DLLs on systems running FactoryTalk, potentially gaining the ability to execute arbitrary code with the privileges of the FactoryTalk application and interfere with industrial operations or data integrity.

Who's at risk

Manufacturing plants and facilities using Rockwell Automation FactoryTalk for HMI (human-machine interface), data collection, or alarm management should be concerned. This includes anyone running FactoryTalk View Studio for engineering workstations or FactoryTalk Services Platform for centralized monitoring and historian functions.

How it could be exploited

An attacker with write access to a directory on the FactoryTalk server or workstation could place a malicious DLL file. When FactoryTalk starts or loads a library, it may load the attacker's malicious DLL instead of the legitimate one, executing arbitrary code.

Prerequisites

Write access to a directory where FactoryTalk searches for DLL files (typically the application directory or a directory in the DLL search path)
FactoryTalk application must be running or started after the malicious DLL is placed

No patch availableDLL hijacking can lead to arbitrary code executionAffects common industrial automation HMI software

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

FactoryTalk Services Platform: <2.71.00<2.71.00No fix (EOL)

FactoryTalk View Studio: <=8.00.00≤ 8.00.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict write access to FactoryTalk application directories and any directories in the DLL search path to authorized users only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRun FactoryTalk with the minimum required privileges (non-administrative account if possible)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: FactoryTalk Services Platform: <2.71.00, FactoryTalk View Studio: <=8.00.00. Apply the following compensating controls:

HARDENINGImplement application whitelisting or code signing verification for DLL files loaded by FactoryTalk

HARDENINGMonitor for unauthorized DLL files in FactoryTalk directories and implement file integrity monitoring

CVEs (1)

CVE-2014-9209

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bd9d01ac-8cfa-4cc1-8ecd-a26a78483105

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.