Rockwell Automation FactoryTalk Alarms and Events

MonitorCVSS 7.5ICS-CERT ICSA-17-341-02Dec 7, 2017

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Services (RSLinx Enterprise), FactoryTalk View SE, FactoryTalk Alarms and Events, and Studio 5000 Logix Designer contain an input validation vulnerability (CWE-20) that allows a remote attacker to cause a denial of service. The vulnerability affects all versions of RSLinx Enterprise, FactoryTalk View SE 5.00 and later, FactoryTalk Alarms and Events 2.90 and earlier, and Studio 5000 Logix Designer 24 and later. A remote attacker can craft and send malformed network packets to the affected services, causing them to crash or become unresponsive, disrupting alarm and event monitoring capabilities.

What this means

What could happen

An attacker could send crafted network packets to cause a denial of service, disrupting monitoring and alarming systems that operators rely on to track plant status and respond to anomalies.

Who's at risk

Water utilities, power plants, manufacturing facilities, and any industrial site using Rockwell Automation's FactoryTalk suite for alarm and event monitoring. This affects human-machine interfaces (HMI), data servers, and engineering workstations that rely on these components for real-time alerting and process visibility.

How it could be exploited

An attacker with network access to the affected FactoryTalk services can send malformed input that bypasses input validation, causing the service to crash or become unresponsive. No authentication or special configuration is required.

Prerequisites

Network access to FactoryTalk services (RSLinx Enterprise, View SE, or Alarms and Events) on port 2222 or HTTP ports
No authentication credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects monitoring/alarming systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

FactoryTalk View SE:≥ 5.00No fix (EOL)

FactoryTalk Alarms and Events:≤ 2.90No fix (EOL)

FactoryTalk Services (RSLinx Enterprise): all versionsAll versionsNo fix (EOL)

Studio 5000 Logix Designer versions: 24 and later≥ 24No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to FactoryTalk services using firewall rules—allow only authorized engineering workstations and HMI servers to connect

WORKAROUNDDisable remote access to FactoryTalk services if not operationally required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor FactoryTalk service logs for connection attempts and unexpected terminations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: FactoryTalk View SE:, FactoryTalk Alarms and Events:, FactoryTalk Services (RSLinx Enterprise): all versions, Studio 5000 Logix Designer versions: 24 and later. Apply the following compensating controls:

HARDENINGIsolate FactoryTalk systems on a separate network segment or VLAN from untrusted networks and the internet

CVEs (1)

CVE-2017-14022

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3691164d-e89b-4503-8084-d81110a0a31a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.