Rockwell Automation FactoryTalk Services Platform

Plan Patch7.3ICS-CERT ICSA-23-164-02Jun 13, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

FactoryTalk Policy Manager and System Services v6.11.0 contain vulnerabilities in authentication/authorization handling (CWE-321, CWE-287, CWE-346) that allow a user with valid credentials and local system access to elevate privileges, disclose configuration information, or load malicious configuration files. Successful exploitation requires user interaction with the UI but could grant full administrative access to the FactoryTalk platform.

What this means

What could happen

An attacker with local access could elevate privileges from a regular user to administrator, disclose sensitive configuration information, or load malicious configuration files into the FactoryTalk platform, potentially affecting production scheduling, recipe management, or operational visibility across your automation network.

Who's at risk

Plant engineers and automation managers using FactoryTalk for production scheduling, recipe management, or process configuration at manufacturing plants, food and beverage facilities, and other discrete or process manufacturers. Anyone running Rockwell FactoryTalk Policy Manager or System Services v6.11.0 should prioritize assessment.

How it could be exploited

An attacker with a valid user account on a system running vulnerable FactoryTalk services could interact with the UI to trigger privilege escalation, information disclosure, or configuration file manipulation. The attack requires local system access and user interaction, but could result in administrative control of the FactoryTalk platform.

Prerequisites

Valid user account on a system running FactoryTalk Policy Manager or System Services
Local access to the affected system or ability to interact with the UI
User interaction (clicking, accepting dialogs) to complete the exploit

Local access required but user interaction can be deceivedLow CVSS complexity to exploitPrivilege escalation to administrator possibleAffects critical production management platform

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FactoryTalk Policy Manager: v6.11.0v6.11.06.30.00

FactoryTalk System Services: v6.11.0v6.11.06.30.00

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDIf remote access to FactoryTalk is required, implement secure VPN access and keep VPN software updated to the latest version

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk Policy Manager to v6.30.00 or later

HOTFIXUpgrade FactoryTalk System Services to v6.30.00 or later

HARDENINGRestrict local access to FactoryTalk systems to authorized engineering personnel only

Long-term hardening

0/1

HARDENINGIsolate FactoryTalk servers and engineering workstations from business networks using firewalls

CVEs (3)

CVE-2023-2637 CVE-2023-2638 CVE-2023-2639

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/402baa66-07bc-45a9-8b76-41e9bbfbbf6b