OTPulse

Rockwell Automation FactoryTalk Service Platform

Plan PatchCVSS 9ICS-CERT ICSA-24-046-16Feb 15, 2024
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

FactoryTalk Service Platform versions prior to 2.74 contain a privilege escalation vulnerability (CWE-279) that allows a user with basic group privileges to escalate to administrator-level access. Successful exploitation requires the attacker to have a valid user account on the system and specific system conditions to be present (high attack complexity). No patch is currently available from Rockwell Automation. Rockwell Automation recommends implementing network isolation and access controls as mitigations.

What this means
What could happen
A basic-privileged user on FactoryTalk Service Platform could escalate to administrator-level access, allowing them to modify system configuration, add unauthorized users, or alter industrial process settings.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using Rockwell Automation FactoryTalk Service Platform for SCADA, HMI, or process automation systems should assess their exposure. This affects any organization where basic-privileged users could interact with the platform.
How it could be exploited
An attacker with a standard user account on the FactoryTalk Service Platform (or gaining such an account through social engineering or weak credentials) could exploit the privilege escalation vulnerability to obtain administrator privileges, then use those privileges to modify the system.
Prerequisites
  • Valid user account with basic (non-admin) group privileges on FactoryTalk Service Platform
  • Network access to the FactoryTalk Service Platform
  • Specific system configuration that permits the exploit (high attack complexity suggests certain conditions must be met)
No patch availableHigh CVSS severity (9.0)Privilege escalation allows full system compromiseAffects critical industrial automation platform
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (1)
ProductAffected VersionsFix Status
FactoryTalk Service Platform: <v2.74<v2.74No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGMinimize network exposure of FactoryTalk Service Platform—ensure it is not accessible from the internet or untrusted networks
HARDENINGIsolate FactoryTalk Service Platform behind a firewall and on a separate network segment from business systems and the internet
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict user account creation and privilege assignment—audit who has basic user access and remove unnecessary accounts
Mitigations - no patch available
0/2
FactoryTalk Service Platform: <v2.74 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIf remote access is required, use a VPN with strong authentication and keep VPN software updated to the latest version
HARDENINGMonitor for suspicious authentication and privilege escalation attempts on the FactoryTalk Service Platform
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2e473708-e1a5-46e3-ad99-e67a8ee9d43b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Rockwell Automation FactoryTalk Service Platform | CVSS 9 - OTPulse