Rockwell Automation FactoryTalk Services Platform

Plan Patch8.5ICS-CERT ICSA-21-161-01Jun 10, 2021

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in FactoryTalk Services Platform v6.11 and earlier allows authenticated users to bypass security policies that are based on computer name verification. The flaw affects systems where FactoryTalk Security is enabled and deployed. Rockwell Automation states that no fix is available for the affected versions, though v6.20 and later are not vulnerable.

What this means

What could happen

An authenticated attacker could bypass FactoryTalk security policies that restrict access based on computer names, potentially gaining unauthorized access to industrial processes and control system data.

Who's at risk

System integrators and plant operators using Rockwell Automation FactoryTalk Services Platform versions 6.11 or earlier, particularly those in manufacturing, chemical processing, pharmaceutical, and other process industries that rely on FactoryTalk for access control and security policy enforcement.

How it could be exploited

An attacker with valid credentials could establish a remote connection to a FactoryTalk Services Platform system and manipulate the computer name verification mechanism to bypass security policies. This requires network access to the platform and authenticated user credentials.

Prerequisites

Valid FactoryTalk user credentials
Network access to FactoryTalk Services Platform
FactoryTalk Security feature enabled and deployed
Affected version (v6.11 or earlier) in use

Requires authentication (lower risk than unauthenticated)Bypasses access controls (affects security policy enforcement)High complexity exploitation (high CVSS 8.5 but noted as high attack complexity)No patch available for affected versions (end-of-life risk)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Services Platform: v6.11 and earlier if FactoryTalk Security is enabled and deployed≤ 6.116.20 or later

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDMinimize use of remote desktop connections to FactoryTalk systems

HARDENINGApply least-privilege principle: run FactoryTalk software as standard user, not Administrator

HARDENINGEnsure FactoryTalk Systems are not accessible from the Internet

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Services Platform to v6.20 or later

HARDENINGEnable Microsoft Event Logger or similar tool to monitor remote desktop connections and disconnections for anomalies

HARDENINGRestrict user and service account access to shared resources (databases, network shares) to minimum required rights

Long-term hardening

0/2

HARDENINGIf remote access to FactoryTalk is required, use a VPN with current security patches

HARDENINGIsolate FactoryTalk Services Platform network from the business network using firewalls

CVEs (1)

CVE-2021-32960

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a8d67d44-a210-4c3a-a0a3-c915369bee25