PN930 | FactoryTalk® EnergyMetrix™ Authentication Vulnerabilities

Introduction

Description

Version 1.0 - June 21, 2016

Rockwell Automation has internally discovered and remediated two authentication-based vulnerabilities in the Rockwell Software FactoryTalk® EnergyMetrix™ product. FactoryTalk EnergyMetrix is a web-enabled management software package that gives you access to critical energy information, and allows you to capture, analyze, store, and share energy data with key stakeholders using a standard web browser.

The first vulnerability concerns user credentials that are not immediately invalidated after an explicit logout action is performed by the user, which may allow an attacker to use these credentials in perpetuity. The second vulnerability is an SQL Injection vulnerability which may allow an attacker to access the FactoryTalk EnergyMetrix system without valid user credentials. Both vulnerabilities are exploitable remotely. At this time, there is no known publicly available exploit code relating to the vulnerabilities.

Rockwell Automation has examined associated vectors and revised product software has been released to address risks. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

• FactoryTalk EnergyMetrix v2.10.00 and earlier

VULNERABILITY DETAILS

Authenticated User Token Remains Valid after Logout

When a user explicitly logs out of their FactoryTalk EnergyMetrix account, their authentication token is not immediately invalidated by the system. An attacker who obtained this token would be able to access the FactoryTalk EnergyMetrix system at the same privilege level as the user, by resending the captured token with their request.

CVE-2016-4531 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

SQL Injection

A SQL injection vulnerability allows privilege escalation by an anonymous user, which can result in access to administrative functions of the FactoryTalk EnergyMetrix system. A successful attack results in privileged access to the application and its data files but not to the underlying computer system. The impact of this vulnerability is highly dependent on the user’s environment and the level of privilege the web server service account has with its associated database.

CVE-2016-4522 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable. When possible, multiple strategies should be employed simultaneously.

1. Customers using affected versions of FactoryTalk EnergyMetrix software are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks.

   Product Family	Catalog Numbers	Software Versions	Suggested Actions
   FactoryTalk EnergyMetrix	9307-FTEM*	V2.10.00 and earlier	Apply version 2.20.00 or later; Version 2.30 or later is recommended. (Downloads)

2. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
3. Configure and enable HTTPS on your EnergyMetrix server, which protects the confidentiality and integrity of information exchanged between the web browser and server.
4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

LINKS

• Security Advisory Index, Knowledgebase article KB:54102

KCS Status