Rockwell Automation FactoryTalk Vantagepoint

Plan PatchCVSS 7.1ICS-CERT ICSA-23-136-03May 16, 2023

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

FactoryTalk Vantagepoint versions prior to 8.40 contain an authentication and session management vulnerability (CWE-345) that allows an attacker to impersonate an existing user or perform unauthorized actions via a cross-site request forgery (CSRF) attack. Exploitation requires the user to click a malicious link while authenticated to the application. The vulnerability has high attack complexity and no known public exploits. Rockwell Automation recommends updating to version 8.40 or later and implementing security best practices including user training on phishing and social engineering.

What this means

What could happen

An attacker could trick a user into visiting a malicious link or page to take over their FactoryTalk Vantagepoint account or perform unauthorized actions on their behalf, potentially leading to unauthorized changes to factory automation configurations or operations.

Who's at risk

Manufacturing plants and facilities that use Rockwell Automation's FactoryTalk Vantagepoint for automation control, monitoring, or engineering workstations. This affects anyone who logs into the web interface as an operator, engineer, or administrator.

How it could be exploited

An attacker creates a phishing email or malicious web page that tricks a user into clicking a link while logged into FactoryTalk Vantagepoint. This allows the attacker to either hijack the user's session or perform a cross-site request forgery (CSRF) attack to execute commands as that user without their knowledge.

Prerequisites

User must click on attacker-controlled link or visit attacker-controlled page
User must be authenticated to FactoryTalk Vantagepoint at the time of attack
FactoryTalk Vantagepoint must be accessible via web browser

remotely exploitableuser interaction requiredhigh attack complexityaffects factory automation configuration and operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Vantagepoint: < 8.408.408.40

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGProvide user training on phishing and social engineering attacks; emphasize not clicking links in unsolicited emails or visiting untrusted websites

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Vantagepoint to version 8.40 or later

HARDENINGImplement email filtering and anti-phishing controls to block malicious links and suspicious attachments

Long-term hardening

0/1

HARDENINGReview and apply Rockwell Automation's Security Best Practices for FactoryTalk Vantagepoint deployments

CVEs (1)

CVE-2023-2444

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed1d6b36-d7b5-41f2-9898-8c9853d2681b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.