OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk Alarms and Events

Monitor7.5ICS-CERT ICSA-17-341-02Dec 7, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

FactoryTalk Services (RSLinx Enterprise), FactoryTalk View SE, FactoryTalk Alarms and Events, and Studio 5000 Logix Designer contain an input validation vulnerability (CWE-20) that allows a remote attacker to cause a denial of service. The vulnerability affects all versions of RSLinx Enterprise, FactoryTalk View SE 5.00 and later, FactoryTalk Alarms and Events 2.90 and earlier, and Studio 5000 Logix Designer 24 and later. A remote attacker can craft and send malformed network packets to the affected services, causing them to crash or become unresponsive, disrupting alarm and event monitoring capabilities.

What this means
What could happen
An attacker could send crafted network packets to cause a denial of service, disrupting monitoring and alarming systems that operators rely on to track plant status and respond to anomalies.
Who's at risk
Water utilities, power plants, manufacturing facilities, and any industrial site using Rockwell Automation's FactoryTalk suite for alarm and event monitoring. This affects human-machine interfaces (HMI), data servers, and engineering workstations that rely on these components for real-time alerting and process visibility.
How it could be exploited
An attacker with network access to the affected FactoryTalk services can send malformed input that bypasses input validation, causing the service to crash or become unresponsive. No authentication or special configuration is required.
Prerequisites
  • Network access to FactoryTalk services (RSLinx Enterprise, View SE, or Alarms and Events) on port 2222 or HTTP ports
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexityno patch availableaffects monitoring/alarming systems
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
FactoryTalk View SE:≥ 5.00No fix (EOL)
FactoryTalk Alarms and Events:≤ 2.90No fix (EOL)
FactoryTalk Services (RSLinx Enterprise): all versionsAll versionsNo fix (EOL)
Studio 5000 Logix Designer versions: 24 and later≥ 24No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDRestrict network access to FactoryTalk services using firewall rules—allow only authorized engineering workstations and HMI servers to connect
WORKAROUNDDisable remote access to FactoryTalk services if not operationally required
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor FactoryTalk service logs for connection attempts and unexpected terminations
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: FactoryTalk View SE:, FactoryTalk Alarms and Events:, FactoryTalk Services (RSLinx Enterprise): all versions, Studio 5000 Logix Designer versions: 24 and later. Apply the following compensating controls:
HARDENINGIsolate FactoryTalk systems on a separate network segment or VLAN from untrusted networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3691164d-e89b-4503-8084-d81110a0a31a
Rockwell Automation FactoryTalk Alarms and Events | CVSS 7.5 - OTPulse