Team82 Research
Rockwell Automation's FactoryTalk AssetCentre product sits center stage in many industrial enterprises, overseeing backup and disaster recovery services, version and source control, and inventory management of automation assets.
These functions ensure continuity and uptime, two cornerstones of ICS networks. ICS-specific backup solutions such as FactoryTalk AssetCentre are key elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack. In industries where downtime is unacceptable, and especially where public safety may be impacted, organizations must have a reliable backup available.
As part of our strategic research on these types of product lines, the Claroty Research Team focused on the pre-authentication attack surface of the FactoryTalk suite, specifically FactoryTalk AssetCentre. We examined the ability of an attacker to compromise the backup server, own the ICS data, and have direct access to lower-level devices. These types of attacks can be devastating, given the ransomware and extortion climate, and attackers' targeting of backups in such intrusions.
Last October, Claroty privately disclosed a number of serious vulnerabilities in the product to Rockwell Automation, some of which could be used alone or chained to remotely access and execute arbitrary code. An attacker who is able to successfully exploit these vulnerabilities could do so without authentication and control the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server. In short order, an attacker could own a facility's entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs). This type of attack traverses the Purdue Model, from the operations level to the control level (see graphic below).
Today, Rockwell Automation disclosed some details about these flaws, announcing that it has fixed nine vulnerabilities reported by Claroty. All of the nine vulnerabilities were assessed a CVSS score of 10, the highest criticality score. Users are urged to update FactoryTalk Asset Centre to v11 or above; FactoryTalk AssetCentre v10 and earlier are affected. ICS-CERT, today, also published an advisory that includes vulnerability and mitigation information.
Industrial control systems and other products for the domain are developed with the understanding that most organizations don't have rapid product turnover cycles, nor do they tolerate interruptions to the reliability and availability of products. Research teams bring nuanced insight to their work on products and are invaluable to the ongoing security of the industrial ecosystem.
The Claroty Research Team has found, disclosed, and helped address more than 70 vulnerabilities in ICS devices and OT protocols used in diverse industries worldwide. We've done so in partnership with companies such as Rockwell Automation, which continues to enhance the security practices embedded in its software development lifecycle and foster coordinated disclosures and patching with research teams such as Claroty's.
FactoryTalk AssetCentre is a powerful, centralized tool where project files are stored for use on any Rockwell Automation platform. The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents.
The software agents run on engineering workstations (generally, Windows-based machines); the agents communicate with the centralized server and can accept and send commands to automation devices, such as PLCs. Project files are then updated and sent back to the server, which stores the files centrally. Operators can perform backup and restore, and version control functions from AssetCentre for all PLCs running on a factory floor, for example.
Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.
Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialized object that would be executed later when being deserialized. Programs such as FactoryTalk AssetCentre have many complex objects, representing different components in the system. As these objects are sent over the network to other instances of the software—AssetCentre in this case—they must be first serialized to binary data in order to be transferred and later deserialized back to a living object in the memory. Deserialization vulnerabilities force targets to deserialize untrusted data and execute it; the impact of the attack would depend on the particular vulnerability.
Rockwell Automation urges users to update FactoryTalk AssetCentre to v11 in order to mitigate these nine vulnerabilities. The company also recommends users refer to the FactoryTalk AssetCentre Installation Guide and follow guidance there in order to securely configure the tool with SSL on clients, agent computers, and the web client.
Rockwell also recommends configuring IPSec for secure communication; the company acknowledges this does not completely address these vulnerabilities. While it would allow the system to authenticate senders and prevent unauthorized connections, an attacker that was able to leverage an authorized client would still be able to compromise the system. According to Rockwell, using IPSec reduces risk by reducing the potential attack surface.
FactoryTalk AssetCentre v10 and earlier
We want to thank Rockwell PSIRT for its coordination efforts with this vulnerability disclosure, its response in addressing these critical vulnerabilities, and its efforts around securing its products.
An exposure of sensitive information to an unauthorized actor vulnerability in cgi component in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote attackers to obtain sensitive information via unspecified vectors.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Synology RT6600ax routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the info.cgi file. The issue results from the exposure of sensitive data to the WAN interface. An attacker can leverage this vulnerability to disclose certain information in the context of the current process.
CVSS V3: 5.3
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in cgi component in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote attackers to read specific files via unspecified vectors.
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Synology RT6600ax routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the uistrings.cgi file. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current process.
CVSS V3: 5.3
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Directory Domain Functionality in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology RT6600ax routers. Authentication is required to exploit this vulnerability.
The specific flaw exists within the WEB API endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root.
CVSS V3: 7.2
An uncontrolled resource consumption vulnerability in File Functionality in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote authenticated users to conduct denial-of-service attacks via unspecified vectors.
This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Synology RT6600ax routers. Authentication is required to exploit this vulnerability.
The specific flaw exists within the SYNO.Core file. The issue results from uncontrolled resource consumption. An attacker can leverage this vulnerability to create a denial-of-service condition on the device.
CVSS V3: 4.9
CWE-256: Plaintext Storage of a Password
The affected product stores usernames and passwords in plaintext. The plaintext storage could be abused by attackers to leak legitimate user’s credentials.
Softneta recommends users update to v7.2.9.820 of MedDream PACS Server or patch their current system using Fix-v230712.
CVSS V3: 6.1
