Rockwell Fixes FactoryTalk Hole

Wednesday, March 22, 2017 @ 11:03 AM gHale

Rockwell Automation released FactoryTalk Activation, Version 4.01 which fixes an unquoted search path vulnerability, according to a report with ICS-CERT.

Successful exploitation of this vulnerability may allow an authenticated, but nonprivileged, local user to link to or run a malicious executable.

Rockwell Clears Workbench Vulnerability
LCDS Fixes SCADA Software
Design Flaws in Accelerometer Hardware
Fatek Clears PLC Ethernet Module Hole
Schneider Mitigates ClearSCADA Issue

The following versions of FactoryTalk Activation, a component of FactoryTalk Services Platform, suffer from the issue:
• FactoryTalk Activation Service, Version 4.00.02 and prior versions

FactoryTalk Activation is used in the following Rockwell Automation products:
• Arena
• Emonitor
• FactoryTalk AssetCentre
• FactoryTalk Batch
• FactoryTalk EnergyMetrix
• FactoryTalk eProcedure
• FactoryTalk Gateway
• FactoryTalk Historian Site Edition (SE)
• FactoryTalk Historian Classic
• FactoryTalk Information Server
• FactoryTalk Metrics
• FactoryTalk Transaction Manager
• FactoryTalk VantagePoint
• FactoryTalk View Machine Edition (ME)
• FactoryTalk View Site Edition (SE)
• FactoryTalk ViewPoint
• RSFieldBus
• RSLinx Classic
• RSLogix 500
• RSLogix 5000
• RSLogix 5
• RSLogix Emulate 5000
• RSNetWorx
• RSView32
• SoftLogix 5800
• Studio 5000 Architect
• Studio 5000 Logix Designer
• Studio 5000 View Designer
• Studio 5000 Logix Emulate

In terms of the vulnerability, without quotation marks, any whitespace in the file path remains ambiguous, which may allow an attacker to link to or run a malicious executable. This may allow an authorized, but not privileged local user to execute arbitrary code with elevated privileges on the system.

CVE-2017-6015 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

The product sees use in the chemical, critical manufacturing, food and agriculture, water and wastewater systems sectors. Also, the product sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable.

Rockwell Automation released a new version of FactoryTalk Activation, Version 4.01, which addresses the vulnerability. Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation, Version 4.01 or later.

If unable to upgrade to the latest version, users should read Knowledgebase Article KB939382, which describes how to identify whether the service path contains spaces (i.e., is vulnerable); how to manually address this vulnerability through a registry edit; and the article describes the process of doing such edits.

Rockwell Automation recommends, where feasible, the precautions and risk mitigation strategies to this type of attack:
• Follow industry best-practices to harden PCs and servers, including antivirus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article KB546987.
• Use trusted software, software patches, antivirus/anti-malware programs, and interact only with trusted web sites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

Leave a Reply

You must be logged in to post a comment.