Severity:
High
Advisory ID:
PN1569
發佈日期:
June 10, 2021
最近更新:
June 10, 2021
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
否
Corrected:
否
Workaround:
否
CVE IDs
CVE-2021-32960
摘要
FactoryTalk Security Remote Desktop Connection ‘Computer Name’ Policy Bypass Vulnerability
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 10, 2021. Initial Release.
Executive Summary
Rockwell Automation discovered a vulnerability in FactoryTalk® Security, part of FactoryTalk Service Platform. This vulnerability, if successfully exploited, may allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name. These policies may be important to customers who are concerned about users at an engineering workstation having ‘line-of-site’ visibility to the systems they are operating.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.
Vulnerability Details
CVE-2021-32960: FactoryTalk Security protection mechanism failure for remote desktop connections
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.
CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.
CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
If upgrade is not possible, customers should consider the following guidance:
Vulnerability | Suggested Actions |
CVE-2021-32960 | Apply FactoryTalk Services Platform v6.20 or later. |
If upgrade is not possible, customers should consider the following guidance:
- When possible, do not utilize remote desktop connections.
- Use Microsoft® Event Logger or similar event logging application to monitor atypical remote desktop connections and disconnections. Information on Setting up Windows® Event Logs is available at Knowledgebase Article QA5965.
General Security Guidelines
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.