Rockwell Automation FactoryTalk Remote Access

Monitor6.5ICS-CERT ICSA-24-135-01May 14, 2024

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

FactoryTalk Remote Access versions 13.5.0.174 and earlier contain a vulnerability that allows local attackers with high privileges to deliver and execute a malicious executable as a system user. Successful exploitation could result in remote code execution and full compromise of the remote access platform. The vulnerability is not remotely exploitable and requires local system access plus user interaction.

What this means

What could happen

An attacker with local access to a FactoryTalk Remote Access server could execute arbitrary code with system privileges, potentially allowing them to modify control commands, alter process data, or shut down remote access capabilities for legitimate operators.

Who's at risk

This affects any organization using Rockwell Automation FactoryTalk Remote Access for remote operator or maintenance connections to industrial control systems, including water utilities, power distributors, manufacturing plants, and other critical infrastructure sectors.

How it could be exploited

An attacker must first gain local access to the FactoryTalk Remote Access server (via malware, physical access, or compromised credentials). Once on the system with high privileges, they can deliver a malicious executable that the system will run as a system user, giving the attacker full control over the remote access platform.

Prerequisites

Local system access to the FactoryTalk Remote Access server
High privilege account or ability to place executable in a location the system will run from
User interaction to trigger execution (malicious file must be opened or executed by an authorized user)

Requires high privileges and local accessRequires user interaction to triggerAffects remote access capabilityCould impact operator visibility and control

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

FactoryTalk Remote Access: <=v13.5.0.174≤ v13.5.0.17413.6

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict local access to FactoryTalk Remote Access servers through physical and logical access controls; limit who can log in and place files on the system

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FactoryTalk Remote Access to version 13.6 or later

HARDENINGMonitor for and block execution of unsigned or suspicious executables on FactoryTalk Remote Access servers using endpoint protection or application whitelisting

Long-term hardening

0/1

HARDENINGIsolate FactoryTalk Remote Access servers on a dedicated network segment, separate from business networks and the internet

CVEs (1)

CVE-2024-3640

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a62c40c-f9d7-41cb-afac-c9b4a7fd7d82