Rockwell Automation FactoryTalk Linx and FactoryTalk Services Platform

MonitorCVSS 7.5ICS-CERT ICSA-21-028-01Jan 28, 2021

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Linx software and FactoryTalk Services Platform versions 6.20 and earlier contain improper input validation vulnerabilities (CWE-755, CWE-770) that can be triggered by malicious network packets sent to EtherNet/IP or CIP protocol ports (2222, 44818). Successful exploitation results in a denial-of-service condition, causing the FactoryTalk application to crash. Rockwell Automation has not issued patches for these vulnerabilities and recommends network-based and configuration mitigations instead.

What this means

What could happen

An attacker can send specially crafted network packets to FactoryTalk Linx or FactoryTalk Services Platform to crash the application, disrupting engineering workstations and potentially halting access to plant configuration and monitoring capabilities.

Who's at risk

Manufacturing and process industries using Rockwell Automation FactoryTalk Linx or FactoryTalk Services Platform for engineering and plant configuration. Any organization with these products running on engineering workstations or servers should be concerned, particularly utilities and discrete manufacturers relying on these tools to manage PLCs and control systems.

How it could be exploited

An attacker on the network or Internet sends malicious packets to TCP/UDP port 2222 or 44818 targeting FactoryTalk Linx or FactoryTalk Services Platform. The application fails to properly validate or handle these packets, causing a denial-of-service condition that crashes the service.

Prerequisites

Network reachability to the engineering workstation or server running FactoryTalk Linx or FactoryTalk Services Platform on port 2222 or 44818 (EtherNet/IP or CIP protocol)
No authentication required to send a malicious packet

remotely exploitableno authentication requiredlow complexity attackno patch availabledenial-of-service impact on engineering capabilities

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (2)

1 pending1 EOL

ProductAffected VersionsFix Status

FactoryTalkServices Platform:≤ 6.20No fix yet

FactoryTalk Linx software:≤ 6.20No fix (EOL)

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDImplement firewall rules to block all incoming traffic to TCP and UDP ports 2222 and 44818 from outside your manufacturing zone

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRun FactoryTalk Services Platform as a regular user, not Administrator, to limit the impact if the application is compromised

HARDENINGApply least-privilege principles to user accounts and service accounts accessing FactoryTalk and shared resources like databases

Mitigations - no patch available

0/4

FactoryTalk Linx software: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate FactoryTalk Linx and FactoryTalk Services Platform systems behind a firewall and separate them from the business network

HARDENINGUse Microsoft AppLocker or similar allow-list tools to restrict which applications can run on FactoryTalk engineering workstations

HARDENINGTrain users not to open untrusted .ftd files or click links from untrusted sources

HARDENINGEnsure FactoryTalk systems are not accessible from the Internet

CVEs (4)

CVE-2020-5801 CVE-2020-5802 CVE-2020-5806 CVE-2020-5807

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ca7dbe27-eb44-40ba-8a1e-116764085392

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.