Rockwell Automation FactoryTalk Service Platform

Act Now9.8ICS-CERT ICSA-24-030-06Jan 30, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Service Platform versions prior to 6.40 contain an authentication bypass vulnerability (CWE-347) that allows attackers to retrieve user information and modify system settings without credentials. The vulnerability affects the FactoryTalk Services APIs and can be exploited through unauthenticated network requests. Successful exploitation allows an attacker to access and manipulate system configuration, user credentials, and application authorization policies.

What this means

What could happen

An attacker with network access to FactoryTalk Service Platform can retrieve user credentials and modify system settings without logging in, potentially gaining control over automation logic, setpoints, and production workflows.

Who's at risk

Manufacturing plants and facilities using Rockwell Automation FactoryTalk Service Platform for automation control and HMI operations should be concerned. This includes process manufacturers, discrete manufacturers, and any facility using FactoryTalk for PLC programming, setpoint management, or real-time monitoring.

How it could be exploited

An attacker sends unauthenticated requests over the network to the FactoryTalk Service Platform APIs to retrieve service tokens and user information, or to modify system configurations and authorization policies without needing valid credentials.

Prerequisites

Network access to FactoryTalk Service Platform (port/protocol not specified in advisory)
No credentials required
DCOM must be at default authentication level (not set to level 6)

remotely exploitableno authentication requiredlow complexity attackcritical CVSS 9.8affects system configuration and access control

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Service Platform: <v6.4<v6.46.40

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDSet DCOM authentication level to 6 to enable encryption of service tokens and communication between server and client

WORKAROUNDEnable verification of publisher information (digital signature validation) for executables using FactoryTalk Services APIs via Application Authorization settings in FactoryTalk Administration Console

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Service Platform to version 6.40 or later

HARDENINGRestrict network access to FactoryTalk Service Platform from untrusted networks using firewalls

Long-term hardening

0/1

HARDENINGIsolate FactoryTalk Service Platform on a separate network segment from the corporate business network

CVEs (1)

CVE-2024-21917

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fa542b8a-25db-4ed9-a3bc-b79e6bb6c0d0