Rockwell Automation FactoryTalk Updater (Update A)

Act Now9.1ICS-CERT ICSA-24-319-14Nov 14, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Updater versions 4.00.00 through 4.19.99 contain multiple vulnerabilities including authentication bypass (CWE-922, CWE-358) and improper input validation (CWE-20) in the Web Client, Client, and Agent components. Successful exploitation could result in authentication bypass, remote code execution with service privileges, or local privilege escalation to administrator level. Fixed in version 4.20.00.

What this means

What could happen

An attacker could bypass authentication, execute commands remotely on the FactoryTalk Updater system, or gain local administrator privileges on the host. This could allow an attacker to modify or interrupt software deployments across your automation environment.

Who's at risk

Organizations running Rockwell Automation FactoryTalk Updater for centralized software distribution to PLCs, controllers, and industrial devices. This includes manufacturing plants, water utilities, and power utilities that use FactoryTalk as their firmware and software patch management system. Affected versions are 4.00.00 through 4.19.99 across Web Client, Client, and Agent components.

How it could be exploited

An attacker on the network could send specially crafted requests to the FactoryTalk Updater Web Client (port typically 443) or Client component to bypass authentication checks. Once authenticated or bypassing authentication, the attacker could execute arbitrary code in the context of the Updater service or as a local user, potentially with elevated privileges.

Prerequisites

Network access to FactoryTalk Updater Web Client or Client component
FactoryTalk Updater version 4.00.00 through 4.19.99 deployed
Web Client accessible from network (default or misconfigured exposure)

remotely exploitableno authentication required for Web Client vulnerabilitylow complexityaffects software patch management (control of the supply chain for device updates)CVSS 9.1 (critical)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

FactoryTalk Updater - Web Client: >=4.00.00|<4.20.00≥ 4.00.00|<4.20.004.20.00

FactoryTalk Updater - Client: <4.20.00<4.20.004.20.00

FactoryTalk Updater - Agent: <4.20.00<4.20.004.20.00

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the server running FactoryTalk Updater using firewall rules; limit connections to only authorized engineering workstations and systems that require updates

HARDENINGEnsure FactoryTalk Updater systems are located behind firewalls and not directly accessible from the Internet or business networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Updater - Web Client to version 4.20.00 or later

HOTFIXUpdate FactoryTalk Updater - Client to version 4.20.00 or later

HOTFIXUpdate FactoryTalk Updater - Agent to version 4.20.00 or later

CVEs (3)

CVE-2024-10943 CVE-2024-10944 CVE-2024-10945

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9948f28b-2c61-42dd-89ee-6802fbd2f1bc