Rockwell Automation Fixes 9 Flaws in FactoryTalk AssetCentreClaroty: Exploit of Vulnerabilities Could Enable Control of OT Network
Researchers at the cybersecurity company Claroty have uncovered nine critical vulnerabilities in industrial automation giant Rockwell Automation's FactoryTalk AssetCentre product, which, if exploited, potentially could enable attackers to control an OT network.
Rockwell Automation urges users of the product - a centralized tool for securing, managing, versioning, tracking and reporting automation-related asset information across a facility - to update to version 11, which mitigates the vulnerabilities. It also recommends configuring IPSec for secure communication.
While configuring IPSec for secure communication would allow the system to authenticate senders and prevent unauthorized connections, "an attacker that was able to leverage an authorized client would still be able to compromise the system," Claroty says. "According to Rockwell, using IPSec reduces risk by reducing the potential attack surface."
An Industrial Control System Cyber Emergency Response Team advisory includes all Rockwell Automation's mitigation tips, including advising users who are unable to upgrade or are concerned about unauthorized client connections to use built-in security features found within FactoryTalk AssetCentre.
All Flaws Are Critical
All of the nine vulnerabilities were assessed a CVSS score of 10, the highest criticality score. Claroty found that successful exploitation of these vulnerabilities allowed unauthenticated attackers to perform arbitrary command execution, SQL injection or remote code execution.
"The product is used by many industrial organizations for backup and disaster recovery, which could be an extremely attractive target for a ransomware group," says Lewis Jones, threat intelligence analyst at the security firm Talion. "Therefore, those with reliance on AssetCentre should patch and follow the mitigation actions now before an attacker is able to take advantage of the vulnerability."
A Powerful Tool
"FactoryTalk AssetCentre is a powerful, centralized tool where project files are stored for use on any Rockwell Automation platform," Claroty notes in its report. "The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients and remote agents. The software agents run on engineering workstations (generally, Windows-based machines); the agents communicate with the centralized server and can accept and send commands to automation devices, such as programmable logic controllers. Project files are then updated and sent back to the server, which stores the files centrally. Operators can perform backup and restore and version control functions from AssetCentre for all PLCs running on a factory floor."
Researchers at Claroty found deserialization vulnerabilities in several remote services running on FactoryTalk AssetCentre that handle interprocess communication within an OT network, as well as SQL-injection vulnerabilities in other service functions.
"These services have the highest system privileges, which means any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine," Claroty says.
Exploits of three of the discovered flaws, CVE-2021-27462, CVE-2021-27466 and CVE-2021-27470, could allow an unauthenticated attacker to remotely execute arbitrary code in FactoryTalk AssetCentre. Exploiting the CVE-2021-27460 vulnerability could enable an unauthenticated local attacker to gain full access into the FactoryTalk AssetCentre main server and agent machines and remotely execute code, the Claroty researchers say.
If exploited, another vulnerability, CVE-2021-27474, could allow a remote unauthenticated attacker to modify or expose sensitive data in FactoryTalk AssetCentre. And another flaw, CVE-2021-27476, allows for OS command injection, giving a remote unauthenticated attacker the ability to run arbitrary code in FactoryTalk AssetCentre
Jones says an attacker who chains the vulnerabilities together could control a facility’s entire operational technology network and run commands on server agents and automation devices, such as programmable logic controllers.
Dealing With OT Flaws
Andy Norton, European cyber risk officer at the security firm Armis, says OT environments are routinely littered with trivially exploitable vulnerabilities.
"We cannot apply the same triage logic in OT that we would apply in IT," he says. "This reconciliation of priorities will be one of the challenges facing a converged organization. Embracing a framework approach, such as IEC62443, implementing its varied requirements and having measured defense in depth will greatly reduce the risk of any single vulnerability impacting an organization."
In March, researchers at Claroty found a critical authentication bypass vulnerability that enabled hackers to remotely compromise Rockwell Automation programmable logic controllers (see: Rockwell Controllers Vulnerable).
The severe vulnerability tracked as CVE-2021-22681, which had a CVSS score of 10.0, affected Studio 5000 Logix Designer, RSLogix 5000 and many Logix controllers. Attackers could exploit the flaw to extract a secret encryption key.