Rockwell Automation FactoryTalk Updater (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-24-319-14Nov 14, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk Updater (Web Client, Client, and Agent) versions before 4.20.00 contain multiple vulnerabilities in authentication, input validation, and data encoding that could allow an attacker to bypass authentication, execute remote code, or escalate privileges. The vulnerabilities affect FactoryTalk Updater Web Client versions 4.00.00 through 4.19.99, FactoryTalk Updater Client versions before 4.20.00, and FactoryTalk Updater Agent versions before 4.20.00.

What this means

What could happen

An attacker could bypass authentication and execute arbitrary code on the FactoryTalk Updater server, potentially gaining control over software updates distributed to PLCs, HMIs, and other control system devices across your facility. This could be used to inject malicious firmware or settings that disrupt production or alter process behavior.

Who's at risk

Facilities using Rockwell Automation FactoryTalk Updater to manage firmware and settings for PLCs, HMIs, and other control devices should prioritize this. This includes manufacturing plants, water treatment facilities, power substations, and any site relying on Rockwell FactoryTalk for distributed control system management.

How it could be exploited

An attacker with network access to the FactoryTalk Updater server (Web Client, Client, or Agent) could exploit an authentication bypass to gain unauthorized access without valid credentials, then use input validation or encoding flaws to execute arbitrary code on the server with the privileges of the updater service.

Prerequisites

Network access to the FactoryTalk Updater server (typically port 443 for Web Client or standard service ports for Client/Agent)
No valid credentials required due to authentication bypass vulnerability

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.1)Affects software distribution mechanism for control systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

FactoryTalk Updater - Web Client: >=4.00.00|<4.20.00≥ 4.00.00|<4.20.004.20.00

FactoryTalk Updater - Client: <4.20.00<4.20.004.20.00

FactoryTalk Updater - Agent: <4.20.00<4.20.004.20.00

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to the server hosting FactoryTalk Updater; limit connections to only authorized engineering workstations and control system devices that require updates

HARDENINGImplement firewall rules to prevent direct Internet access to FactoryTalk Updater services; ensure the server is not reachable from untrusted networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FactoryTalk Updater Web Client to version 4.20.00 or later

HOTFIXUpdate FactoryTalk Updater Client to version 4.20.00 or later

HOTFIXUpdate FactoryTalk Updater Agent to version 4.20.00 or later

CVEs (3)

CVE-2024-10943 CVE-2024-10944 CVE-2024-10945

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9948f28b-2c61-42dd-89ee-6802fbd2f1bc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.