Rockwell Clears FactoryTalk Vulnerabilities

Wednesday, July 27, 2016 @ 10:07 AM gHale


Rockwell Automation created a new version to mitigate authentication vulnerabilities in the FactoryTalk EnergyMetrix application, according to a report with ICS-CERT.

FactoryTalk EnergyMetrix, Version 2.10.00 and prior versions suffer from the remotely exploitable vulnerabilities.

RELATED STORIES
Siemens Fixes SINEMA XSS Hole
NET PC-Software DoS Hole Fixed
Siemens Mitigates SIMATIC Holes
Siemens glibc Library Fix Update

Successful exploitation of these vulnerabilities may give unauthenticated access to the affected system.

Milwaukee, WI-based Rockwell Automation provides industrial automation control and information products worldwide across a wide range of industries.

The affected product, FactoryTalk EnergyMetrix, is a web-enabled management software package that captures, analyzes, stores, and shares energy data. The product sees action across several sectors, including chemical, commercial facilities, critical manufacturing, energy, government facilities, and water and wastewater systems. Rockwell Automation said the product sees use on a global basis.

User credentials are not immediately invalidated after an explicit logout action ends up performed by the user, which may allow an attacker to use these credentials until reset.

CVE-2016-4531 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

In addition, an anonymous user may be able to escalate privileges resulting in privileged access to the application and its data files but not to the underlying computer system. The impact of this vulnerability is highly dependent on the user’s environment and the level of privilege the web server service account has with its associated database.

CVE-2016-4522 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Rockwell Automation released Version 2.20.00 and Version 2.30.00, which address the identified vulnerabilities. Rockwell Automation recommends that FactoryTalk EnergyMetrix users install Version 2.30.00 or the latest version.

Rockwell Automation’s new versions, Version 2.20.00 and Version 2.30.00, are available at this link with a valid account.

In addition to applying the latest software version, Rockwell Automation recommends applying the following additional mitigations:
1. Ensure the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) only ends up granted with the minimum amount of rights needed.
2. Configure and enable HTTPS on your FactoryTalk EnergyMetrix server, which will help protect the confidentiality and integrity of information exchanged between the web browser and server.
3. Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
4. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

Click here for Rockwell Automation’s security notification. You must have a valid account to view the report.