Rockwell Automation FactoryTalk Services Platform XXE
Plan Patch8.4ICS-CERT ICSA-20-177-02Jun 25, 2020
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
XML External Entity (XXE) vulnerability in Rockwell Automation FactoryTalk Services Platform version 6.11.00 and earlier. A user with local access to the server can exploit this vulnerability to read arbitrary files on the system or cause a denial of service. The vulnerability is accessed through the platform's XML processing functions and does not require remote network access.
What this means
What could happen
An attacker with local access to a FactoryTalk Services Platform server could read any file on the system or cause the service to stop responding, disrupting access to engineering workstations and potentially blocking operator visibility or control of production systems.
Who's at risk
Manufacturing facilities, utilities, and other industrial operations that use Rockwell Automation FactoryTalk Services Platform for centralized control system asset and project management. Impact is highest for organizations that rely on FactoryTalk as the central engineering workstation platform for PLC and automation device configuration.
How it could be exploited
An attacker with local user account credentials on a Windows server running FactoryTalk Services Platform could craft a malicious XML file that triggers an XXE (XML External Entity) vulnerability when processed by the platform. This would allow the attacker to read sensitive files from the server or exhaust system resources, causing a denial of service.
Prerequisites
- Local user account on the FactoryTalk Services Platform server
- Ability to upload or inject XML content to be processed by the platform
- FactoryTalk Services Platform version 6.11.00 or earlier
No patch availableAffects critical engineering platformLocal exploitation but requires valid user credentials
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Services Platform:≤ 6.11.00No fix (EOL)
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDMonitor FactoryTalk Services Platform process health and implement restart policies to mitigate denial-of-service impacts
Mitigations - no patch available
0/3FactoryTalk Services Platform: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict local user account access to FactoryTalk Services Platform servers to only authorized personnel
HARDENINGImplement local file access controls and audit logging on FactoryTalk Services Platform servers to detect suspicious file read activity
HARDENINGIsolate FactoryTalk Services Platform servers on a dedicated network segment separate from business networks and the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7f61c98c-c8ff-4632-b439-fa7202a48dbf