Rockwell Automation FactoryTalk Alarm and Events Server

Monitor7.5ICS-CERT ICSA-22-300-01Oct 27, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Alarm and Events Server contains a flaw that allows remote attackers to trigger a denial-of-service condition. The vulnerability is exploitable remotely with low attack complexity and requires no authentication. Successful exploitation causes the server to become unavailable, preventing alarm and event processing.

What this means

What could happen

An attacker can remotely crash the FactoryTalk Alarm and Events Server, making it unable to process alarms and events. This could prevent operators from receiving critical process alerts and notifications needed to manage plant operations.

Who's at risk

Manufacturing facilities, power generation plants, water utilities, and chemical processing operations that rely on Rockwell Automation FactoryTalk Alarm and Events Server for real-time process monitoring and operator notifications. Any site using FactoryTalk for distributed control system (DCS) alarm management is affected.

How it could be exploited

An attacker sends a specially crafted network request to the FactoryTalk Alarm and Events Server from the Internet or an internal network. The server processes the request without proper validation and enters a denial-of-service state, becoming unresponsive. No authentication is required.

Prerequisites

Network access to FactoryTalk Alarm and Events Server port (port 2222 or configured alternative)
No credentials required
Server must be reachable from attacker's network location

Remotely exploitableNo authentication requiredLow attack complexityNo patch availableAffects alerting and visibility systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Alarm and Events Server - FactoryTalk Alarm and Events Server: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGConfigure IPsec on FactoryTalk Alarm and Events Server according to Rockwell Automation deploying FactoryTalk software with IPsec Knowledgebase article

HARDENINGPlace the FactoryTalk Alarm and Events Server behind a firewall and isolate from business networks

HARDENINGEnsure FactoryTalk Alarm and Events Server is not Internet-accessible; restrict network access to only authorized engineering workstations and systems

Mitigations - no patch available

0/2

FactoryTalk Alarm and Events Server - FactoryTalk Alarm and Events Server: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf remote access to the server is required, implement VPN with multi-factor authentication

HARDENINGMonitor network traffic to the server and implement intrusion detection rules for suspicious connection patterns

CVEs (1)

CVE-2022-38744

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/728a794e-acef-46a2-97fc-a48d83e462f6