Three critical security vulnerabilities have been identified in Rockwell Automation’s FactoryTalk Linx, and exploitation of these weaknesses can allow a denial-of-service condition, remote code execution or leak of information that could be used to bypass address space layout randomization (ASLR) within the industrial control systems (ICS).
FactoryTalk Linx is included with most FactoryTalk software and functions as a data server to deliver information from Allen‑Bradley control products to the control system. The FactoryTalk industrial automation software has been built for supporting advanced industrial applications, which start at the edge where manufacturing happens and scale from on-premise to cloud.
The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory last week recognizing that these security vulnerabilities could allow remote, unauthenticated attackers to send malicious port ranges, and remotely execute code. It was detected that the vulnerability could be manipulated using low skill levels. The vulnerability is at present undergoing analysis and all relevant details are not immediately available.
Currently, there are no known public exploits which have specifically targeted these vulnerabilities. A flaw has been identified in the Ingress/Egress checks routine of FactoryTalk Linx that could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device. A CVSS v3 base score of 8.6 has been calculated.
A heap overflow vulnerability was found within FactoryTalk Linx that can allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution. A CVSS v3 base score of 9.8 has been measured.
Another heap overflow vulnerability was detected within FactoryTalk Linx, which could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in the leaking of sensitive information. This information disclosure could lead to the bypass of the ASLR. A CVSS v3 base score of 5.3 has been calculated for this weakness.
These security flaws were reported by Sharon Brizinov of Claroty to Rockwell Automation PSIRT.
Rockwell advised users of the affected FactoryTalk Linx to update to an available software revision that addresses the risks. Users are encouraged, when possible, to combine general security guidelines that use multiple strategies simultaneously such as running the software as ‘user’ instead of ‘administrator,’ using Microsoft AppLocker or other similar whitelisting application to help mitigate risk, and confirming that the least-privilege user principle is followed, so that user/service account access to shared resources is only granted with a minimum amount of rights as needed.
Users can also minimize network exposure for control system devices and/or systems and confirm that they are not accessible from the Internet. When remote access is required, use secure methods such as updated virtual private networks (VPNs).
Rockwell had last week expanded its cybersecurity certifications and added advanced security capabilities into more products, which connect production and IT systems, and combat cyberthreats targeting the ICS.
Last month, Rockwell Automation introduced its FactoryTalk Edge Gateway designed to simplify and accelerate IT/OT environments. It acts as a cornerstone of a broader edge platform offering that will include elements of pre-built data analytics models, machine learning, tailored applications and scalable computing.