By Sharon Brizinov and Amir Preminger | April 1, 2021

Rockwell Automation’s FactoryTalk AssetCentre product sits center stage in many industrial enterprises, overseeing backup and disaster recovery services, version and source control, and inventory management of automation assets.

These functions ensure continuity and uptime, two cornerstones of ICS networks. ICS-specific backup solutions such as FactoryTalk AssetCentre are key elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack. In industries where downtime is unacceptable, and especially where public safety may be impacted, organizations must have a reliable backup available.

As part of our strategic research on these types of product lines, the Claroty Research Team focused on the pre-authentication attack surface of the FactoryTalk suite, specifically FactoryTalk AssetCentre. We examined the ability of an attacker to compromise the backup server, own the ICS data, and have direct access to lower-level devices. These types of attacks can be devastating, given the ransomware and extortion climate, and attackers’ targeting of backups in such intrusions.

Last October, Claroty privately disclosed a number of serious vulnerabilities in the product to Rockwell Automation, some of which could be used alone or chained to remotely access and execute arbitrary code. An attacker who is able to successfully exploit these vulnerabilities could do so without authentication and control the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server. In short order, an attacker could own a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs). This type of attack traverses the Purdue Model, from the operations level to the control level (see graphic below).

An attacker able to compromise the FactoryTalk AssetCentre server can also access engineering workstations and lower-level devices, such as PLCs.

An attacker able to compromise the FactoryTalk AssetCentre server can also access engineering workstations and lower-level devices, such as PLCs.

Today, Rockwell Automation disclosed some details about these flaws, announcing that it has fixed nine vulnerabilities reported by Claroty. All of the nine vulnerabilities were assessed a CVSS score of 10, the highest criticality score. Users are urged to update FactoryTalk Asset Centre to v11 or above; FactoryTalk AssetCentre v10 and earlier are affected. ICS-CERT, today, also published an advisory that includes vulnerability and mitigation information.

Industrial control systems and other products for the domain are developed with the understanding that most organizations don’t have rapid product turnover cycles, nor do they tolerate interruptions to the reliability and availability of products. Research teams bring nuanced insight to their work on products and are invaluable to the ongoing security of the industrial ecosystem.

The Claroty Research Team has found, disclosed, and helped address more than 70 vulnerabilities in ICS devices and OT protocols used in diverse industries worldwide. We’ve done so in partnership with companies such as Rockwell Automation, which continues to enhance the security practices embedded in its software development lifecycle and foster coordinated disclosures and patching with research teams such as Claroty’s.

FactoryTalk AssetCentre a Powerful Target for Attackers

FactoryTalk AssetCentre is a powerful, centralized tool where project files are stored for use on any Rockwell Automation platform. The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents.

The software agents run on engineering workstations (generally, Windows-based machines); the agents communicate with the centralized server and can accept and send commands to automation devices, such as PLCs. Project files are then updated and sent back to the server, which stores the files centrally. Operators can perform backup and restore, and version control functions from AssetCentre for all PLCs running on a factory floor, for example.

Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.

Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialized object that would be executed later when being deserialized. Programs such as FactoryTalk AssetCentre have many complex objects, representing different components in the system. As these objects are sent over the network to other instances of the software—AssetCentre in this case—they must be first serialized to binary data in order to be transferred and later deserialized back to a living object in the memory. Deserialization vulnerabilities force targets to deserialize untrusted data and execute it; the impact of the attack would depend on the particular vulnerability.

Mitigations and Recommendations

Rockwell Automation urges users to update FactoryTalk AssetCentre to v11 in order to mitigate these nine vulnerabilities. The company also recommends users refer to the FactoryTalk AssetCentre Installation Guide and follow guidance there in order to securely configure the tool with SSL on clients, agent computers, and the web client.

Rockwell also recommends configuring IPSec for secure communication; the company acknowledges this does not completely address these vulnerabilities. While it would allow the system to authenticate senders and prevent unauthorized connections, an attacker that was able to leverage an authorized client would still be able to compromise the system. According to Rockwell, using IPSec reduces risk by reducing the potential attack surface.

The Vulnerabilities

Affected Products:

FactoryTalk AssetCentre v10 and earlier

CVE Information:
  • CVE-2021-27462

    CWE-502 Deserialization of Untrusted Data
    CVSS v3 Score: 10

    A deserialization vulnerability was uncovered in the way the FactoryTalk AssetCentre AosService.rem service verifies serialized data. An unauthenticated attacker may exploit this to remotely execute arbitrary code in FactoryTalk AssetCentre.

  • CVE-2021-27466

    CWE-502 Deserialization of Untrusted Data
    CVSS v3 Score: 10

    A deserialization vulnerability was found in how the FactoryTalk AssetCentre ArchiveService.rem verifies serialized data. A remote unauthenticated attacker could exploit this and execute arbitrary commands in FactoryTalk AssetCentre.

  • CVE-20201-27470

    CWE-502 Deserialization of Untrusted Data
    CVSS v3 Score: 10

    A deserialization vulnerability was found in the way FactoryTalk AssetCentre LogService.rem verifies serialized data. This vulnerability could be exploited for remote code execution in FactoryTalk AssetCentre pre-authentication.

  • CVE-2021-27474

    CWE-749 Exposed Dangerous Method or Function
    CVSS v3 Score: 10

    FactoryTalk AssetCentre does not properly restrict IIS remoting services functions, allowing a remote, unauthenticated attacker to modify or expose sensitive data in FactoryTalk AssetCentre.

  • CVE-2021-27476

    CWE-78 OS Command Injection
    CVSS v3 Score: 10

    A vulnerability in the SaveConfigFile function of FactoryTalk AssetCentre’s RACompare Service allows for OS command injection, giving a remote unauthenticated attacker the ability to run arbitrary code in FactoryTalk AssetCentre.

  • CVE-2021-27472

    CWE-89 Improper Neutralization of Special Elements Used in a SQL Command (SQL Injection)
    CVSS v3 Score: 10

    FactoryTalk AssetCentre’s SearchService allows for the execution of remote SQL statements by an unauthenticated attacker.

  • CVE-2021-27468

    CWE-89 Improper Neutralization of Special Elements Used in a SQL Command (SQL Injection)
    CVSS v3 Score: 10

    The AosService.rem service exposes functions that lack authentication, enabling a remote unauthenticated attacker to execute SQL statements.

  • CVE-2021-27464

    CWE-89 Improper Neutralization of Special Elements Used in a SQL Command (SQL Injection)
    CVSS v3 Score: 10

    The ArchiveService.rem service exposes functions that lack authentication, enabling remote execution of SQL statements by an unauthenticated attacker.

  • CVE-2021-27460

    CWE-502 Deserialization of Untrusted Data
    CVSS v3 Score: 10

    Multiple FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without verifying the results will be valid. An unauthenticated local attacker would gain full access to the FactoryTalk AssetCentre main server and agent machines and remotely execute code.

Acknowledgment

We want to thank Rockwell PSIRT for its coordination efforts with this vulnerability disclosure, its response in addressing these critical vulnerabilities, and its efforts around securing its products.