Rockwell Automation FactoryTalk Activation Manager (Update B)
Act Now9.8ICS-CERT ICSA-18-102-02Apr 12, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
FactoryTalk Activation Manager versions 4.00 and 4.01 contain buffer overflow (CWE-119) and cross-site scripting (CWE-79) vulnerabilities that allow remote attackers to access sensitive information, modify content, or execute arbitrary code without authentication. The vulnerabilities can be exploited over the network against the activation manager server, potentially compromising the integrity of control system licensing and engineering workstation configurations.
What this means
What could happen
An attacker could remotely execute code on the FactoryTalk Activation Manager server, potentially allowing unauthorized access to engineering credentials, modification of industrial control system configurations, or disruption of plant operations that depend on FactoryTalk licensing and activation.
Who's at risk
Manufacturing facilities using Rockwell Automation FactoryTalk Activation Manager (versions 4.01 and earlier) should be concerned. This affects any site using FactoryTalk for software licensing and activation of controllers, PLCs, and engineering workstations. The risk is highest for sites with their FactoryTalk server connected to networked control systems or accessible from engineering networks.
How it could be exploited
An attacker with network access to the FactoryTalk Activation Manager server (typically port 2222/TCP or UDP) sends a specially crafted request that exploits a buffer overflow or cross-site scripting vulnerability. This allows execution of arbitrary code on the server without needing valid credentials, giving the attacker control over the activation and licensing system used by your connected controllers and engineering workstations.
Prerequisites
- Network access to FactoryTalk Activation Manager server on port 2222/TCP or UDP
- No valid credentials required
- FactoryTalk Activation Manager version 4.01 or earlier installed and reachable from attacker's network
remotely exploitableno authentication requiredlow complexityhigh EPSS score (80.5%)no patch available (for v4.00 and earlier)affects engineering and control system infrastructure
Exploitability
High exploit probability (EPSS 80.5%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
FactoryTalk Activation Manager: v4.00 and earlier≤ 4.004.02
FactoryTalk Activation Manager: v4.00 and v4.014.00 | 4.014.02
Remediation & Mitigation
0/6
Do now
0/4WORKAROUNDIf unable to update FactoryTalk Activation Manager immediately, update CodeMeter to a compatible version that works with your current FactoryTalk Activation Manager version as a temporary mitigation
HARDENINGBlock inbound traffic to port 2222/TCP and UDP from outside your manufacturing network using firewall rules or network access control lists
HARDENINGBlock inbound traffic to port 44818/TCP and UDP (used by EtherNet/IP and CIP protocol devices) from outside the manufacturing zone
HARDENINGEnsure FactoryTalk Activation Manager is not directly accessible from the Internet; use firewall rules or restrict access to internal networks only
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate FactoryTalk Activation Manager to version 4.02 or later
Long-term hardening
0/1HARDENINGIsolate FactoryTalk Activation Manager and all connected control system devices from the business network using network segmentation
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/65eb3f89-064b-48bb-a017-f1deaa199e13