Rockwell Automation FactoryTalk Linx

Act Now9.8ICS-CERT ICSA-20-329-01Nov 24, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Linx versions 6.11 and earlier contain input validation flaws (CWE-20) and buffer overflow weaknesses (CWE-122) in its network service handling. These vulnerabilities allow an unauthenticated remote attacker to send malformed packets that trigger memory corruption, resulting in denial of service, arbitrary code execution with the privileges of the running process, or information disclosure including credential data that could bypass address space layout randomization protections.

What this means

What could happen

An attacker with network access to FactoryTalk Linx could execute arbitrary commands on engineering workstations, crash the software to disrupt process monitoring and control, or steal credential information to move laterally within the industrial network.

Who's at risk

This affects engineering workstations and servers running Rockwell Automation FactoryTalk Linx in any manufacturing or process control environment—including water treatment facilities, electric utilities, chemical plants, and automotive manufacturing. The vulnerability impacts devices used for process monitoring, alarming, and control configuration.

How it could be exploited

An attacker sends a specially crafted network packet to the FactoryTalk Linx service running on an engineering workstation or server. The input validation flaws allow the packet to bypass security checks, leading to memory corruption that results in code execution with the privileges of the running process. No authentication is required.

Prerequisites

Network access to the device running FactoryTalk Linx (TCP/UDP ports typically used by Linx service)
No credentials required
No user interaction required

remotely exploitableno authentication requiredlow complexity attackhigh EPSS score (19.8%)affects engineering workstations and control system visibility

Exploitability

High exploit probability (EPSS 19.8%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Linx:≤ 6.116.20 or patch for 6.10/6.11 (Patch Answer ID 1126433)

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGRun FactoryTalk Linx as a non-administrator user account to limit the impact of code execution

WORKAROUNDImplement firewall rules to restrict network access to FactoryTalk Linx ports, allowing only trusted engineering workstations and servers

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Linx to version 6.20 or apply patch for v6.10/6.11 (Patch Answer ID 1126433)

HARDENINGDeploy Microsoft AppLocker or equivalent application whitelisting to restrict unauthorized code execution

Long-term hardening

0/3

HARDENINGIsolate industrial control system networks from the business network and the Internet using network segmentation

HARDENINGImplement least-privilege access controls for user and service accounts accessing shared resources such as databases

HARDENINGIf remote access to engineering workstations is required, enforce secure VPN connections with current security patches

CVEs (3)

CVE-2020-27253 CVE-2020-27251 CVE-2020-27255

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4831201c-6de1-4f78-bde1-b15760db9b98