Rockwell Automation FactoryTalk Historian SE

Plan Patch7.5ICS-CERT ICSA-24-130-01May 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Historian SE versions 9.0 and earlier contain resource exhaustion vulnerabilities (CWE-772, CWE-703) in the data collector service. Successful exploitation allows a remote, unauthenticated attacker to cause a denial-of-service condition that disrupts the historian service, preventing data collection and historical queries. Rockwell Automation has released a fix in version 9.01 or higher.

What this means

What could happen

An attacker could crash the FactoryTalk Historian SE service, causing loss of real-time data collection and historical data queries for your facility. This disrupts monitoring and reporting of plant operations.

Who's at risk

Water utilities and electric utilities using FactoryTalk Historian SE (version 9.0 or earlier) for real-time data collection and historical logging. This affects any facility that relies on Historian for monitoring production metrics, sensor data, or process events. Engineering teams, plant operators, and control room staff depend on Historian for situational awareness and trend analysis.

How it could be exploited

An attacker with network access to the FactoryTalk Historian SE port (typically port 4502 for the data collector service) can send a crafted request to trigger a resource exhaustion condition. No authentication is required, and the attack can be executed remotely over the network.

Prerequisites

Network access to FactoryTalk Historian SE (typically port 4502)
No credentials or authentication required
FactoryTalk Historian SE version 9.0 or earlier must be running

Remotely exploitableNo authentication requiredLow complexity attackDenial of service impactNetwork-exposed historian systems at risk

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Historian SE: <=v9.0≤ v9.09.01

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to FactoryTalk Historian SE ports to only authorized engineering workstations and data collection sources; use firewall rules to block inbound connections from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Historian SE to version 9.01 or higher

Long-term hardening

0/2

HARDENINGPlace FactoryTalk Historian SE on a segmented network behind a firewall, separate from internet-facing systems and corporate business networks

HARDENINGIf remote access is needed, use a VPN with access controls rather than exposing the service directly to the internet

CVEs (2)

CVE-2023-31274 CVE-2023-34348

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/087680a5-b689-4945-bdd3-24eeed0c99b7