OTPulse
FeedAboutContact

Rockwell Automation FactoryTalk Diagnostics

Act Now9.8ICS-CERT ICSA-20-051-02Feb 20, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

FactoryTalk Diagnostics contains an unsafe deserialization vulnerability in the Remote Diagnostics Service. The service accepts and processes serialized objects over the network without proper validation. An attacker can send a crafted object to execute arbitrary code on the server, compromising the integrity of diagnostics, monitoring, and system configuration data.

What this means
What could happen
An attacker with network access to the Remote Diagnostics Service port could execute arbitrary code on the FactoryTalk Diagnostics server, potentially allowing them to modify production data, alter system configurations, or disrupt diagnostic and monitoring functions across your manufacturing environment.
Who's at risk
Operators and engineers managing Rockwell Automation manufacturing systems who rely on FactoryTalk Diagnostics for system monitoring and troubleshooting. This affects any facility using affected versions (2.00–6.11) of the software, particularly those with remote access capabilities enabled for diagnostics or remote engineering support.
How it could be exploited
An attacker sends a malicious serialized object to the Remote Diagnostics Service port over the network. The service deserializes untrusted data without proper validation, allowing arbitrary code execution. The attacker gains the ability to run commands with the privileges of the service account.
Prerequisites
  • Network connectivity to the Remote Diagnostics Service port (default or configured port)
  • The Remote Diagnostics Service must be running and accessible
  • No authentication required
Remotely exploitableNo authentication requiredLow complexity attackAffects monitoring and diagnostic systemsCWE-502 (deserialization of untrusted data)
Exploitability
Moderate exploit probability (EPSS 2.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Diagnostics software:Versions 2.00 to 6.116.20 or later; patch BF24822 for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, 6.11
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable the Remote Diagnostics Service if it is not actively in use for your operations
HARDENINGConfigure Windows Firewall to restrict network access to the Remote Diagnostics Service port, allowing only trusted engineering workstations or management networks
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk Diagnostics to version 6.20 or later if currently running versions prior to 6.20
HOTFIXInstall patch BF24822 for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11 to restrict connection settings to local port only
HOTFIXUpgrade to version 2.74 or later if currently running versions older than 2.74
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2284a318-e98e-465f-8d08-272dc1684193
Rockwell Automation FactoryTalk Diagnostics | CVSS 9.8 - OTPulse