All nine vulnerabilities received the highest CVSS criticality score of 10
Rockwell Automation’s FactoryTalk AssetCentre product sits centre stage in many industrial enterprises, overseeing backup and disaster recovery services, version and source control, and inventory management of automation assets.
These functions ensure continuity and uptime, two cornerstones of ICS networks. ICS-specific backup solutions such as FactoryTalk AssetCentre are key elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack.
In industries where downtime is unacceptable, and especially where public safety may be impacted, organisations must have a reliable backup available.
As part of our strategic research on these types of product lines, the Claroty Research Team focused on the pre-authentication attack surface of the FactoryTalk suite, specifically FactoryTalk AssetCentre. We examined the ability of an attacker to compromise the backup server, own the ICS data, and have direct access to lower-level devices. These types of attacks can be devastating, given the ransomware and extortion climate, and attackers’ targeting of backups in such intrusions.
Claroty privately disclosed a number of serious vulnerabilities in the product to Rockwell Automation, some of which could be used alone or chained to remotely access and execute arbitrary code.
An attacker who is able to successfully exploit these vulnerabilities could do so without authentication and control the centralised FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server.
In short order, an attacker could own a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs). This type of attack traverses the Purdue Model, from the operations level to the control level (see graphic below).
An attacker able to compromise the FactoryTalk AssetCentre server can also access engineering workstations and lower-level devices, such as PLCs.
All of the nine vulnerabilities were assessed a CVSS score of 10, the highest criticality score. Users are urged to update FactoryTalk Asset Centre to v11 or above; FactoryTalk AssetCentre v10 and earlier are affected. ICS-CERT, today, also published an advisory that includes vulnerability and mitigation information.
Industrial control systems and other products for the domain are developed with the understanding that most organisations don’t have rapid product turnover cycles, nor do they tolerate interruptions to the reliability and availability of products. Research teams bring nuanced insight to their work on products and are invaluable to the ongoing security of the industrial ecosystem.
The Claroty Research Team has found, disclosed, and helped address more than 70 vulnerabilities in ICS devices and OT protocols used in diverse industries worldwide. We’ve done so in partnership with companies such as Rockwell Automation, which continues to enhance the security practices embedded in its software development lifecycle and foster coordinated disclosures and patching with research teams such as Claroty’s.
FactoryTalk AssetCentre a Powerful Target for Attackers
FactoryTalk AssetCentre is a powerful, centralised tool where project files are stored for use on any Rockwell Automation platform. The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents.
The software agents run on engineering workstations (generally, Windows-based machines); the agents communicate with the centralised server and can accept and send commands to automation devices, such as PLCs. Project files are then updated and sent back to the server, which stores the files centrally. Operators can perform backup and restore, and version control functions from AssetCentre for all PLCs running on a factory floor, for example.
Claroty researchers were able to find deserialisation vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.
Deserialisation vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialised object that would be executed later when being deserialised. Programs such as FactoryTalk AssetCentre have many complex objects, representing different components in the system. As these objects are sent over the network to other instances of the software—AssetCentre in this case—they must be first serialised to binary data in order to be transferred and later deserialised back to a living object in the memory. Deserialisation vulnerabilities force targets to deserialise untrusted data and execute it; the impact of the attack would depend on the particular vulnerability.
Mitigations and Recommendations
Rockwell Automation urges users to update FactoryTalk AssetCentre to v11 in order to mitigate these nine vulnerabilities. The company also recommends users refer to the FactoryTalk AssetCentre Installation Guide and follow guidance there in order to securely configure the tool with SSL on clients, agent computers, and the web client.
Rockwell also recommends configuring IPSec for secure communication; the company acknowledges this does not completely address these vulnerabilities. While it would allow the system to authenticate senders and prevent unauthorised connections, an attacker that was able to leverage an authorised client would still be able to compromise the system. According to Rockwell, using IPSec reduces risk by reducing the potential attack surface.
The Vulnerabilities
Affected Products: FactoryTalk AssetCentre v10 and earlier
CVE Information:
- CVE-2021-27462
CWE-502 Deserialisation of Untrusted Data
CVSS v3 Score: 10 A deserialisation vulnerability was uncovered in the way the FactoryTalk AssetCentre AosService.rem service verifies serialised data. An unauthenticated attacker may exploit this to remotely execute arbitrary code in FactoryTalk AssetCentre. - CVE-2021-27466
CWE-502 Deserialisation of Untrusted Data
CVSS v3 Score: 10A deserialisation vulnerability was found in how the FactoryTalk AssetCentre ArchiveService.rem verifies serialised data. A remote unauthenticated attacker could exploit this and execute arbitrary commands in FactoryTalk AssetCentre.
- CVE-20201-27470
CWE-502 Deserialisation of Untrusted Data
CVSS v3 Score: 10A deserialisation vulnerability was found in the way FactoryTalk AssetCentre LogService.rem verifies serialised data. This vulnerability could be exploited for remote code execution in FactoryTalk AssetCentre pre-authentication.
- CVE-2021-27474
CWE-749 Exposed Dangerous Method or Function
CVSS v3 Score: 10FactoryTalk AssetCentre does not properly restrict IIS remoting services functions, allowing a remote, unauthenticated attacker to modify or expose sensitive data in FactoryTalk AssetCentre.
- CVE-2021-27476
CWE-78 OS Command Injection
CVSS v3 Score: 10 A vulnerability in the SaveConfigFile function of FactoryTalk AssetCentre’s RACompare Service allows for OS command injection, giving a remote unauthenticated attacker the ability to run arbitrary code in FactoryTalk AssetCentre. - CVE-2021-27472
CWE-89 Improper Neutralisation of Special Elements Used in a SQL Command (SQL Injection)
CVSS v3 Score: 10
FactoryTalk AssetCentre’s SearchService allows for the execution of remote SQL statements by an unauthenticated attacker.
- CVE-2021-27468
CWE-89 Improper Neutralisation of Special Elements Used in a SQL Command (SQL Injection)
CVSS v3 Score: 10 The AosService.rem service exposes functions that lack authentication, enabling a remote unauthenticated attacker to execute SQL statements. - CVE-2021-27464
CWE-89 Improper Neutralisation of Special Elements Used in a SQL Command (SQL Injection)
CVSS v3 Score: 10 The ArchiveService.rem service exposes functions that lack authentication, enabling remote execution of SQL statements by an unauthenticated attacker. - CVE-2021-27460
CWE-502 Deserialisation of Untrusted Data
CVSS v3 Score: 10 Multiple FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialise untrusted data without verifying the results will be valid. An unauthenticated local attacker would gain full access to the FactoryTalk AssetCentre main server and agent machines and remotely execute code.
