Rockwell Automation FactoryTalk Services Platform

Monitor7.5ICS-CERT ICSA-18-331-02Nov 27, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Services Platform v2.90 and earlier contains a buffer overflow or similar memory issue (CWE-122) that allows a remote attacker to send a specially crafted network packet and cause the platform to crash or become unresponsive. This disrupts all communications between the platform and connected control devices. Exploitation requires only network access and no credentials or user interaction. No public exploits are currently known, but the vulnerability is straightforward to exploit given the low attack complexity.

What this means

What could happen

A remote attacker could disrupt communications with the FactoryTalk Services Platform or shut it down entirely, preventing visibility and control of connected PLCs and HMIs across your facility.

Who's at risk

Water authorities and electric utilities using FactoryTalk Services Platform v2.90 or earlier for SCADA or HMI communications need to assess this risk. The platform is commonly used in medium to large facilities to manage communications between multiple control system devices. Any interruption to the platform directly impacts your ability to monitor and control critical infrastructure operations.

How it could be exploited

An attacker on the network sends a specially crafted packet to the FactoryTalk Services Platform on a network-accessible port. The platform crashes or becomes unresponsive without requiring authentication or user interaction, causing a denial of service.

Prerequisites

Network access to FactoryTalk Services Platform port (likely port 2222 or 44818 based on Rockwell automation services)
No authentication required
No user interaction needed

Remotely exploitableNo authentication requiredLow attack complexityDenial of service impactNo patch available

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Services Platform: v2.90 and earlier≤ 2.90No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGIsolate the FactoryTalk Services Platform behind a firewall and restrict network access to only trusted engineering workstations and control system devices that require communication.

HARDENINGDisable network access from the business/enterprise network to the control system network where FactoryTalk Services Platform operates.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Services Platform to a version newer than v2.90 when available. Monitor Rockwell Automation security advisories and the product download page for patches.

Mitigations - no patch available

0/3

FactoryTalk Services Platform: v2.90 and earlier has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf remote access to FactoryTalk Services Platform is necessary, use a VPN with current patches and restrict access to specific users and devices.

HARDENINGRun the FactoryTalk Services Platform service account with least-privilege rights, not as a system administrator.

HARDENINGImplement application whitelisting (AppLocker or equivalent) on the server running FactoryTalk Services Platform to prevent unauthorized code execution.

CVEs (1)

CVE-2018-18981

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/49ac0d6c-7ca4-4a16-8842-d789e664e443