Industrial cybersecurity firm Claroty has detected nine vulnerabilities in the pre-authentication attack surface of Rockwell Automation’s FactoryTalk suite, especially on the FactoryTalk AssetCentre tool.
An attacker can exploit these security vulnerabilities without authentication, and control the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server. In short order, an attacker could take over a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs), Claroty said. This type of attack traverses the Purdue Model, from the operations level to the control level.
The Claroty researchers examined the ability of an attacker to compromise the backup server, and own the ICS (industrial control system) data with direct access to lower-level devices. These types of attacks can be devastating, given the opportunity for ransomware and extortion, with attackers’ targeting backups in such intrusions.
According to an advisory released by the Cybersecurity and Infrastructure Agency (CISA), Rockwell Automation disclosed some details about the security flaws, announcing that it has fixed the nine vulnerabilities reported by Claroty. All the nine vulnerabilities were assessed with a CVSS score of 10, the highest criticality score. Users are urged to update FactoryTalk Asset Centre to v11 or above, as earlier versions are affected.
At the backbone of several industrial enterprises lies Rockwell Automation’s FactoryTalk AssetCentre, a centralized tool where project files are stored for use on any Rockwell platform. The AssetCenter tool overlooks backup and disaster recovery services, version and source control, and inventory management of automation assets.
The AssetCentre architecture, from a high level, includes the main server, an MS-SQL server database, clients, and remote agents, wrote Sharon Brizinov and Amir Preminger, in a Claroty blog post. ICS-specific backup solutions such as FactoryTalk AssetCentre are critical elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack. “In industries where downtime is unacceptable, and especially where public safety may be impacted, organizations must have a reliable backup available,” the post adds.
The software agents run on engineering workstations, communicate with the centralized server and can accept and send commands to automation devices, such as PLCs, according to the researchers. Project files are then updated and sent back to the server, which stores the files centrally.
Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.
Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialized object that would be executed later when being deserialized. Programs such as FactoryTalk AssetCentre have many complex objects, representing different components in the system.
As these objects are sent over the network to other instances of the software – AssetCentre in this case, they must be first serialized to binary data in order to be transferred and later deserialized back to a living object in the memory. Deserialization vulnerabilities force targets to deserialize untrusted data and execute it; the impact of the attack would depend on the particular vulnerability.
Last October, Claroty privately disclosed a number of serious vulnerabilities in the product to Rockwell Automation, some of which could be used alone or chained to remotely access and execute arbitrary code, according to the blog post.
Rockwell has, in the meanwhile, asked its users to update FactoryTalk AssetCentre to v11 in order to mitigate the vulnerabilities. The company also recommends configuring IPSec for secure communication, as it acknowledges that this does not completely address these vulnerabilities. While it would allow the system to authenticate senders and prevent unauthorized connections, an attacker that was able to leverage an authorized client would still be able to compromise the system.
In February, Claroty detected the presence of a severe vulnerability that affects communications between Rockwell Automation PLCs and engineering stations. Exploiting the flaw enabled an attacker to remotely connect to almost any of the company’s Logix PLCs, and upload malicious code, download information from the PLC, or install new firmware.