Rockwell Automation FactoryTalk Activation
Plan Patch8.8ICS-CERT ICSA-17-047-02Feb 16, 2017
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
FactoryTalk Activation Service versions 4.00.02 and earlier contain a privilege escalation vulnerability (CWE-428) on Windows systems. The flaw allows a user with local account access to escalate privileges to SYSTEM level. This affects 30 Rockwell Automation products including RSLogix 500/5000, Studio 5000 Logix Designer/Emulate, FactoryTalk View variants, Historian, Information Server, and Gateway. Rockwell Automation has indicated no patch will be released for this vulnerability.
What this means
What could happen
An attacker with local access could escalate privileges on engineering workstations running FactoryTalk Activation Service, gaining the ability to modify control logic, access sensitive project files, or disrupt automation operations.
Who's at risk
Energy sector organizations using any of the 30 affected Rockwell Automation FactoryTalk products should be concerned. This impacts engineering workstations, HMI servers, and data collection systems running RSLogix, Studio 5000, FactoryTalk View, Historian, and gateway products. Any automation environment using FactoryTalk Activation Service for licensing or configuration management is vulnerable.
How it could be exploited
An attacker with a local account on a Windows machine running any affected FactoryTalk product exploits a privilege escalation flaw in the FactoryTalk Activation Service (version 4.00.02 and earlier) to gain system-level access. Once escalated, the attacker could execute commands with SYSTEM privileges, allowing them to modify control logic in PLC projects or access sensitive engineering data.
Prerequisites
- Local account or RDP access to engineering workstation
- FactoryTalk Activation Service version 4.00.02 or earlier running
- Windows OS with privilege escalation flaw present
no patch availablehigh CVSS score (8.8)local privilege escalationaffects control engineering tools
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (30)
30 EOL
ProductAffected VersionsFix Status
SoftLogix 5800 FactoryTalk Activation Service:≤ 4.00.02No fix (EOL)
RSLinx Classic FactoryTalk Activation Service:≤ 4.00.02No fix (EOL)
FactoryTalk eProcedure FactoryTalk Activation Service:≤ 4.00.02No fix (EOL)
RSLogix 500 FactoryTalk Activation Service:≤ 4.00.02No fix (EOL)
FactoryTalk View Site Edition (SE) FactoryTalk Activation Service:≤ 4.00.02No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDDisable or uninstall FactoryTalk Activation Service if not required for your configuration; evaluate whether the service is actively used in your environment
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor and log FactoryTalk Activation Service activity and failed privilege escalation attempts; set alerts for unauthorized SYSTEM-level process launches
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SoftLogix 5800 FactoryTalk Activation Service:, RSLinx Classic FactoryTalk Activation Service:, FactoryTalk eProcedure FactoryTalk Activation Service:, RSLogix 500 FactoryTalk Activation Service:, FactoryTalk View Site Edition (SE) FactoryTalk Activation Service:, RSNetWorx FactoryTalk Activation Service:, RSLogix 5 FactoryTalk Activation Service:, FactoryTalk Information Server FactoryTalk Activation Service:, Studio 5000 Logix Emulate FactoryTalk Activation Service:, FactoryTalk ViewPoint FactoryTalk Activation Service:, Arena FactoryTalk Activation Service:, FactoryTalk Historian Site Edition (SE) FactoryTalk Activation Service:, FactoryTalk AssetCentre FactoryTalk Activation Service:, FactoryTalk Batch FactoryTalk Activation Service:, RSLogix 5000 FactoryTalk Activation Service:, Emonitor FactoryTalk Activation Service:, Studio 5000 Architect FactoryTalk Activation Service:, FactoryTalk Gateway FactoryTalk Activation Service:, FactoryTalk EnergyMetrix FactoryTalk Activation Service:, FactoryTalk Metrics FactoryTalk Activation Service:, FactoryTalk Transaction Manager FactoryTalk Activation Service:, FactoryTalk VantagePoint FactoryTalk Activation Service:, FactoryTalk Historian Classic FactoryTalk Activation Service:, RSView32 FactoryTalk Activation Service:, FactoryTalk Activation Service:, RSFieldBus FactoryTalk Activation Service:, Studio 5000 Logix Designer FactoryTalk Activation Service:, Studio 5000 View Designer FactoryTalk Activation Service:, FactoryTalk View Machine Edition (ME) FactoryTalk Activation Service:, RSLogix Emulate 5000 FactoryTalk Activation Service:. Apply the following compensating controls:
HARDENINGIsolate engineering workstations and development servers running FactoryTalk products on a segregated network segment with firewall rules limiting lateral movement
HARDENINGRestrict local administrative access to engineering workstations; use standard user accounts for daily operations and require elevated credentials only when necessary
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/97f0a87c-1b6e-491e-a138-a77db71f86c2