Severity:
Critical
Advisory ID:
PN1559
Published Date:
April 01, 2021
Last Updated:
April 01, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-27466,
CVE-2021-27460,
CVE-2021-27474,
CVE-2021-27468,
CVE-2021-27470,
CVE-2021-27462,
CVE-2021-27464,
CVE-2021-27476,
CVE-2021-27472
Summary
FactoryTalk AssetCentre Vulnerable to Arbitrary Code Execution
Revision History
Revision Number
1.0
Revision History
Version 1.0 – April 1, 2021. Initial release.
Executive Summary
Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding nine vulnerabilities in FactoryTalk® AssetCentre software. These vulnerabilities, if successfully exploited, may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk AssetCentre, v10.00 and earlier.
Vulnerability Details
CVE-2021-27462: Deserialization of untrusted data in AosService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.
CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
| Vulnerability | Suggested Actions |
| CVE-2021-27462 CVE-2021-27466 CVE-2021-27470 CVE-2021-27474 CVE-2021-27476 CVE-2021-27472 CVE-2021-27468 CVE-2021-27464 CVE-2021-27460 | Apply FactoryTalk AssetCentre v11 or above (Download). As an additional mitigation, customers who are unable to upgrade or are concerned about unauthorized client connections are encouraged to deploy IPsec, a built in security feature found within FactoryTalk AssetCentre. Users should follow guidance found in QA46277. IPsec would minimize exposure to unauthorized clients and has been tested in FactoryTalk AssetCentre v9 – v11. |
General Security Guidelines
Software/PC-based Mitigation Strategies
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
- Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.