FactoryTalk® Service Platform Service Token Vulnerability
Published Date: January 30, 2024
Last updated: March 5th, 2024 *Updated Mitigations and Workarounds*
Revision Number: 1.0
CVSS Score: 9.8/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
FactoryTalk® Service Platform |
<= v6.31 |
v6.40 or later |
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
Customers updating to v6.40 or later should do one of the following steps:
- Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.
- If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier, do not alter the System Communication Type setting from AUTO or DCOM.
Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Ensure both security policies are set to Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.
Customers who are unable to update to v6.40 or later should apply the following mitigations:
- Set DCOM authentication level to 6, which enables encryption of the service token and communication channel between the server and client. Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
- When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk® Services APIs. This helps prevent a malicious user from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk® Administration Console application.
- Security Best Practices
VULNERABILITY DETAILS
Rockwell Automation used CVSS v3.1 scoring system to assess the following vulnerabilities.
CVE - 2024 21917 IMPACT
A vulnerability exists in the affected product that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.
CVSS Base Score: 9.8/10 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 347 Improper Verification of Cryptographic Signature
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
ADDITIONAL RESOURCES
