Rockwell Automation reports another critical issue in FactoryTalk Service Platform

Rockwell Automation has issued an alert about a critical vulnerability in their FactoryTalk Service Platform, tracked as CVE-2024-21917 (CVSS v3 score 9.8), This vulnerability has a low complexity of exploitation and can be remotely.

The vulnerability stems from improper verification of cryptographic signatures in the FactoryTalk Service Platform,  in versions prior to v6.4. This flaw allows an attacker to bypass authentication processes, enabling unauthorized retrieval of user information and alteration of settings. The core of the issue lies in the fact that the FactoryTalk Service Platform (FTSP) service token and directory lack proper digital signing, which a malicious user could exploit to obtain the service token and use it for unauthorized access to another FTSP directory.

 Rockwell Automation itself reported this vulnerability to the Cybersecurity and Infrastructure Security Agency (CISA).

To mitigate this risk, Rockwell Automation recommends setting the DCOM authentication level to 6, which encrypts the service token and communication channel between server and client. Additionally, they advise verifying the publisher information of executables attempting to use the FactoryTalk Services APIs and suggest updating to version 6.40 or later where possible.

CISA has also issued recommendations to further safeguard against this vulnerability. These include minimizing network exposure of control system devices, using firewalls to separate these systems from business networks, and utilizing secure methods like VPNs for remote access. They also emphasize the importance of staying vigilant against social engineering attacks and ensuring that organizational cybersecurity strategies are robust and up-to-date.

As of the initial publication on January 30, 2024, there have been no reported cases of public exploitation specifically targeting this vulnerability.