Rockwell Automation FactoryTalk Services Platform

Act Now10ICS-CERT ICSA-21-054-01Feb 23, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CWE-916 vulnerability in Rockwell Automation FactoryTalk Services Platform versions 6.10.00 and 6.11.00 allows remote, unauthenticated attackers to create new user accounts in the administration console. New accounts created via this vulnerability would have full administrative privileges, enabling the attacker to modify or delete configuration and application data in any FactoryTalk software connected to the platform, including SCADA systems, HMIs, and data servers.

What this means

What could happen

An attacker could create unauthorized administrator accounts in FactoryTalk Services Platform, then use those accounts to modify or delete configuration and application data in connected FactoryTalk software, potentially disrupting production operations and compromising plant integrity.

Who's at risk

Organizations running Rockwell Automation FactoryTalk Services Platform versions 6.10.00 or 6.11.00 are affected. This impacts any facility using FactoryTalk for manufacturing, process automation, or asset management, including food and beverage plants, chemical processors, automotive manufacturers, and utilities using FactoryTalk for SCADA or distributed control integration.

How it could be exploited

An attacker on the network sends crafted requests to the FactoryTalk Services Platform administration console port (typically TCP 443 or 80). Because no authentication is required and the vulnerability has low complexity, the attacker can directly create a new administrative user account without credentials. Once the account is created, the attacker can log in and modify or delete configurations and application data in any FactoryTalk software connected to that platform.

Prerequisites

Network access to FactoryTalk Services Platform administration console (usually TCP 443 or 80)
FactoryTalk Services Platform must be reachable from the attacker's network location

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (10.0)Affects critical industrial software platformNo patch available for affected versionsCould enable compromise of safety and process control systems

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Services Platform:6.10.00 | 6.11.006.12.00 or later

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable remote Internet access to FactoryTalk Services Platform unless essential; if remote access is required, restrict it through VPN with strong authentication

WORKAROUNDRestrict network access to the FactoryTalk Services Platform administration console to authorized engineering workstations only using host-based or network firewalls

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Rockwell Automation security patch (version 6.12.00 or later for affected versions 6.10.00 and 6.11.00)

Long-term hardening

0/1

HARDENINGNetwork segmentation: Isolate FactoryTalk Services Platform and all connected FactoryTalk software behind a firewall, separate from business networks and Internet

CVEs (1)

CVE-2020-14516

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/36d01eb3-0cc9-42aa-a256-0ae40502eec2