Rockwell Automation FactoryTalk System Services and Policy Manager

Monitor6.5ICS-CERT ICSA-24-193-19Jul 11, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Vulnerabilities in FactoryTalk System Services v6.40 and FactoryTalk Policy Manager v6.40 allow local users with elevated privileges to access and extract private keys and pre-shared keys stored in unprotected folders on the Windows server. These keys are used for CIP Security authentication. If obtained, an attacker could use the keys to impersonate legitimate automation devices and resources on the network, bypassing security controls that rely on CIP Security.

What this means

What could happen

An attacker with local access could steal private keys from FactoryTalk System Services or Policy Manager, then impersonate legitimate devices or systems on your automation network and access sensitive CIP-secured resources.

Who's at risk

Water and electric utilities using Rockwell Automation's FactoryTalk suite for industrial control system management, particularly those that have implemented CIP Security for device authentication and communication protection.

How it could be exploited

An attacker with local administrator or elevated user credentials on a Windows server running FTSS or FTPM can access the keystore folder and extract private keys. These keys can then be used to impersonate legitimate automation devices communicating via Common Industrial Protocol (CIP), bypassing authentication controls.

Prerequisites

Local administrative or elevated user access to the Windows server hosting FactoryTalk System Services or Policy Manager
Knowledge of the keystore folder location (c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore)
CIP Security must be configured on the target network

local access requiredprivate key exposureaffects authentication infrastructureno patch currently availableCIP Security bypass

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FactoryTalk System Services: v6.40v6.40v6.40.01

FactoryTalk Policy Manager: v6.40v6.40v6.40.01

Remediation & Mitigation

0/5

Do now

0/4

WORKAROUNDDelete the keystore folder at c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore

WORKAROUNDDelete all backup copies of the keystore folder (named with _source_YYYY_MM_DD suffix pattern)

WORKAROUNDDelete the PSKs.json file at c:\ProgramData\Rockwell Automation\FactoryTalk System Services\PSKs.json

WORKAROUNDClear CIP Security configurations from all devices and from FactoryTalk Policy Manager

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk System Services and FactoryTalk Policy Manager to v6.40.01 or later when available

CVEs (2)

CVE-2024-6325 CVE-2024-6236

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f1eeba76-d74c-4974-8945-d61f93ab5ccf