Attacks and Vulnerabilities
CISA
Industrial Cyber Attacks
Malware, Phishing & Ransomware
News
Threat Landscape
Vulnerabilities

Pre-authentication attack surface identified on Rockwell’s FactoryTalk AssetCentre tool

April 05, 2021
FactoryTalk AssetCentre

Industrial cybersecurity firm Claroty has detected nine vulnerabilities in the pre-authentication attack surface of Rockwell Automation’s FactoryTalk suite, especially on the FactoryTalk AssetCentre tool.

An attacker can exploit these security vulnerabilities without authentication, and control the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server. In short order, an attacker could take over a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs), Claroty said. This type of attack traverses the Purdue Model, from the operations level to the control level.  

The Claroty researchers examined the ability of an attacker to compromise the backup server, and own the ICS (industrial control system) data with direct access to lower-level devices. These types of attacks can be devastating, given the opportunity for ransomware and extortion, with attackers’ targeting backups in such intrusions.

According to an advisory released by the Cybersecurity and Infrastructure Agency (CISA), Rockwell Automation disclosed some details about the security flaws, announcing that it has fixed the nine vulnerabilities reported by Claroty. All the nine vulnerabilities were assessed with a CVSS score of 10, the highest criticality score. Users are urged to update FactoryTalk Asset Centre to v11 or above, as earlier versions are affected. 

At the backbone of several industrial enterprises lies Rockwell Automation’s FactoryTalk AssetCentre, a centralized tool where project files are stored for use on any Rockwell platform. The AssetCenter tool overlooks backup and disaster recovery services, version and source control, and inventory management of automation assets. 

The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents, wrote Sharon Brizinov and Amir Preminger, in a Claroty blog post. ICS-specific backup solutions such as FactoryTalk AssetCentre are critical elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack. “In industries where downtime is unacceptable, and especially where public safety may be impacted, organizations must have a reliable backup available,” the post adds.

The software agents run on engineering workstations, communicate with the centralized server and can accept and send commands to automation devices, such as PLCs, according to the researchers. Project files are then updated and sent back to the server, which stores the files centrally. 

Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.

Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialized object that would be executed later when being deserialized. Programs such as FactoryTalk AssetCentre have many complex objects, representing different components in the system. 

As these objects are sent over the network to other instances of the software – AssetCentre in this case, they must be first serialized to binary data in order to be transferred and later deserialized back to a living object in the memory. Deserialization vulnerabilities force targets to deserialize untrusted data and execute it; the impact of the attack would depend on the particular vulnerability.

Last October, Claroty privately disclosed a number of serious vulnerabilities in the product to Rockwell Automation, some of which could be used alone or chained to remotely access and execute arbitrary code, according to the blog post. 

Rockwell has, in the meanwhile, asked its users to update FactoryTalk AssetCentre to v11 in order to mitigate the vulnerabilities. The company also recommends configuring IPSec for secure communication, as it acknowledges that this does not completely address these vulnerabilities. While it would allow the system to authenticate senders and prevent unauthorized connections, an attacker that was able to leverage an authorized client would still be able to compromise the system. 

In February, Claroty detected the presence of a severe vulnerability that affects communications between Rockwell Automation PLCs and engineering stations. Exploiting the flaw enabled an attacker to remotely connect to almost any of the company’s Logix PLCs, and upload malicious code, download information from the PLC, or install new firmware.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems