Loading

PN1000 | FactoryTalk Alarms and Events Historian Denial of Service

Severity:
High
Advisory ID:
PN1000
Published Date:
December 07, 2017
Last Updated:
December 07, 2017
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2017-14022
Summary
FactoryTalk Alarms and Events Historian Denial of Service

Introduction

FactoryTalk Alarms and Events Historian Denial of Service

Description

Version 1.1 - December 7, 2017
Version 1.0 - November 1, 2017

A vulnerability exists in FactoryTalk® Alarms and Events (FTAE) that, if successfully exploited, can cause a Denial of Service condition to the historian service within FTAE. FactoryTalk Alarms and Events is used to provide a common, consistent view of alarms and events through a FactoryTalk View SE HMI system and is used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

FactoryTalk Alarms and Events v2.90 and earlier.

Factory Talk Alarms & Events is a component of the FactoryTalk Services platform. Customers using FTAE-based alarms in FactoryTalk View SE or Logix-based alarms in ControlLogix / CompactLogix processors will be impacted. FactoryTalk Alarms & Events is installed by several products:

  • FactoryTalk Services (RSLinx® Enterprise), all versions
  • FactoryTalk View SE, version 5.00 and later
  • Studio 5000 Logix Designer®, version 24 and later

Affected customers may consult the Risk Mitigation section of this advisory for information on how to address the issue.

VULNERABILITY DETAILS

An unauthenticated attacker with remote access to a network with FactoryTalk Alarms and Events can send a specially crafted set of packets to port TCP/403 (the history archiver service), causing the service to either stall or terminate.

The history archiver service of FactoryTalk Alarms and Events is used to archive alarms and events to a Microsoft SQL Server database. Disrupting this capability can result in a loss of information, the criticality of which depends on the type of environment that the product is used in. The service must be restarted in order to restore operation.

CVE-2017-14022 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected software are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.


  1. Product Family Version In Use Suggested Actions
    Factory Talk Alarms and Events V2.90

    - Implement the V2.90 patch (instructions)

    - Disable TCP port 403. See item #2 below for details.
    Factory Talk Alarms and Events V2.81 and earlier

    - Update to FTAE V2.90 from PCDC (instructions) then implement the V2.90 patch (instructions)

    - Disable TCP port 403. See item #2 below for details.

  2. FactoryTalk Alarm and Event history is logged using the Rockwell Alarm Historian service using port 403, and writes alarms and events to the user-configured SQL Server database. If the Rockwell Automation Alarm Historian service is on the same machine as the Rockwell Alarm Event service, then port 403 can be blocked remotely as the historical information is being logged to the local host rather than a remote host. Any other machine in the system that does not have the Rockwell Alarm Historian service on the same machine as the Rockwell Alarm Event service will require access to port 403.

    Note: FactoryTalk View SE clients using the Alarm and Event Log Viewer to view FactoryTalk Alarm and Event history do not require port 403 and can thus be blocked.

GENERAL SECURITY GUIDELINES

  1. Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270
  2. Use trusted software, software patches, and anti-virus/anti-malware programs, and interact only with trusted web sites and attachments.
  3. Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
  4. Locate control system networks and devices behind firewalls, and isolate them from the enterprise network
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
07-December 2017 1.1 Updated with CVE #
01-November 2017 1.0 Initial Release

KCS Status

Released

Copyright ©2022 Rockwell Automation, Inc.