Rockwell Automation FactoryTalk Activation

Act Now9.8ICS-CERT ICSA-24-004-01Jan 4, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability in FactoryTalk Activation Manager versions before 5.01 exists in the embedded Wibu-Systems CodeMeter 7.60c licensing component. The vulnerability is remotely exploitable over the network with no credentials required. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the FactoryTalk Activation Manager service, resulting in full system compromise.

What this means

What could happen

An attacker who gains access to FactoryTalk Activation Manager could execute arbitrary code and take full control of the system, allowing them to modify or stop production automation processes or disable safety interlocks.

Who's at risk

Factory automation and manufacturing facilities using Rockwell Automation FactoryTalk Activation Manager for license management should be concerned. This includes any organization running PLC programming environments, HMI systems, or other FactoryTalk-dependent control logic on FactoryTalk Activation Manager versions before 5.01.

How it could be exploited

An attacker on the network sends specially crafted data to FactoryTalk Activation Manager that triggers a buffer overflow in the embedded CodeMeter licensing component. This overflow allows code execution with the privileges of the application, which typically has broad access to factory automation systems.

Prerequisites

Network access to FactoryTalk Activation Manager service port
FactoryTalk Activation Manager version prior to 5.01
No authentication required to trigger the overflow

remotely exploitableno authentication requiredlow complexityhigh EPSS score (26.8%)buffer overflow vulnerabilityaffects system with broad automation access

Exploitability

High exploit probability (EPSS 26.8%)

Affected products (1)

ProductAffected VersionsFix Status

Factory Talk Activation Manager: <V4.00_Utilizes_Wibu-Systems_CodeMeter_7.60c<V4.00 Utilizes Wibu-Systems CodeMeter 7.60cNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to FactoryTalk Activation Manager—ensure it is not accessible from the Internet or untrusted networks

HARDENINGPlace FactoryTalk Activation Manager behind a firewall and isolate from the business network if possible

WORKAROUNDIf remote access to FactoryTalk Activation Manager is required, use a VPN with current security patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk Activation Manager to version 5.01 or later

CVEs (2)

CVE-2023-38545 CVE-2023-3935

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/484edae8-834b-4561-94f8-02ed29a73a50