Team82 disclosed a number of critical vulnerabilities in Rockwell Automation's FactoryTalk AssetCentre product; nine of the vulnerabilities were assessed CVSS scores of 10
AssetCentre oversees backup and DR services, version control and inventory management of automation assets
An attacker could chain the vulnerabilities we uncovered to remotely access an AssetCentre implementation, and remotely execute code
No authentication is required to exploit these vulnerabilities; an attacker would be able to run commands through an engineering workstation and manipulate PLCs and other field devices
Rockwell Automation has addressed nine of the vulnerabilities disclosed by Team82
Users are urged to update FactoryTalk Asset Centre to v11 or above; FactoryTalk AssetCentre v10 and earlier are affected
Rockwell Automation's FactoryTalk AssetCentre product sits center stage in many industrial enterprises, overseeing backup and disaster recovery services, version and source control, and inventory management of automation assets.
These functions ensure continuity and uptime, two cornerstones of ICS networks. ICS-specific backup solutions such as FactoryTalk AssetCentre are key elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack. In industries where downtime is unacceptable, and especially where public safety may be impacted, organizations must have a reliable backup available.
As part of our strategic research on these types of product lines, Team82 focused on the pre-authentication attack surface of the FactoryTalk suite, specifically FactoryTalk AssetCentre. We examined the ability of an attacker to compromise the backup server, own the ICS data, and have direct access to lower-level devices. These types of attacks can be devastating, given the ransomware and extortion climate, and attackers' targeting of backups in such intrusions.
Last October, Claroty privately disclosed a number of serious vulnerabilities in the product to Rockwell Automation, some of which could be used alone or chained to remotely access and execute arbitrary code. An attacker who is able to successfully exploit these vulnerabilities could do so without authentication and control the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server. In short order, an attacker could own a facility's entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs). This type of attack traverses the Purdue Model, from the operations level to the control level (see graphic below).
Today, Rockwell Automation disclosed some details about these flaws, announcing that it has fixed nine vulnerabilities reported by Claroty. All of the nine vulnerabilities were assessed a CVSS score of 10, the highest criticality score. Users are urged to update FactoryTalk Asset Centre to v11 or above; FactoryTalk AssetCentre v10 and earlier are affected. ICS-CERT, today, also published an advisory that includes vulnerability and mitigation information.
Industrial control systems and other products for the domain are developed with the understanding that most organizations don't have rapid product turnover cycles, nor do they tolerate interruptions to the reliability and availability of products. Research teams bring nuanced insight to their work on products and are invaluable to the ongoing security of the industrial ecosystem.
The Claroty Research Team has found, disclosed, and helped address more than 70 vulnerabilities in ICS devices and OT protocols used in diverse industries worldwide. We've done so in partnership with companies such as Rockwell Automation, which continues to enhance the security practices embedded in its software development lifecycle and foster coordinated disclosures and patching with research teams such as Claroty's.
FactoryTalk AssetCentre is a powerful, centralized tool where project files are stored for use on any Rockwell Automation platform. The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents.
The software agents run on engineering workstations (generally, Windows-based machines); the agents communicate with the centralized server and can accept and send commands to automation devices, such as PLCs. Project files are then updated and sent back to the server, which stores the files centrally. Operators can perform backup and restore, and version control functions from AssetCentre for all PLCs running on a factory floor, for example.
Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.
Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialized object that would be executed later when being deserialized. Programs such as FactoryTalk AssetCentre have many complex objects, representing different components in the system. As these objects are sent over the network to other instances of the software—AssetCentre in this case—they must be first serialized to binary data in order to be transferred and later deserialized back to a living object in the memory. Deserialization vulnerabilities force targets to deserialize untrusted data and execute it; the impact of the attack would depend on the particular vulnerability.
Rockwell Automation urges users to update FactoryTalk AssetCentre to v11 in order to mitigate these nine vulnerabilities. The company also recommends users refer to the FactoryTalk AssetCentre Installation Guide and follow guidance there in order to securely configure the tool with SSL on clients, agent computers, and the web client.
Rockwell also recommends configuring IPSec for secure communication; the company acknowledges this does not completely address these vulnerabilities. While it would allow the system to authenticate senders and prevent unauthorized connections, an attacker that was able to leverage an authorized client would still be able to compromise the system. According to Rockwell, using IPSec reduces risk by reducing the potential attack surface.
FactoryTalk AssetCentre v10 and earlier
We want to thank Rockwell PSIRT for its coordination efforts with this vulnerability disclosure, its response in addressing these critical vulnerabilities, and its efforts around securing its products.
OS COMMAND INJECTION CWE-78
A vulnerability exists in the SaveConfigFile function of the RACompare Service, which may allow for OS command injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.
Read more: Critical Vulnerabilities Found in Rockwell FactoryTalk AssetCentre
CVSS v3: 10
