Vulnerabilities in ICS-specific backup solution open industrial facilities to attack

Claroty researchers have found and privately disclosed nine vulnerabilities affecting Rockwell Automation’s FactoryTalk AssetCentre, an ICS-specific backup solution.

All of the vulnerabilities have been assigned the maximum (10.0) CVSS v3 base score and, by chaining some of them, an attacker could own a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs), they warn.

The crucial importance of ICS-specific backup solutions

Rockwell Automation’s FactoryTalk AssetCentre is a centralized tool for securing, managing, versioning, tracking and reporting automation-related asset information across industrial facilities.

The AssetCentre solution is comprised of a main server, an MS-SQL server database, clients, and remote software agents running on engineering workstations. The server sends out commands to the agents, and the agents send them to automation devices. Project files are then updated and sent back to the server.

“Operators can perform backup and restore, and version control functions from AssetCentre for all PLCs running on a factory floor, for example,” the researchers explained.

“ICS-specific backup solutions such as FactoryTalk AssetCentre are key elements that enable quick disaster recovery in the event of, for example, a targeted ransomware attack. In industries where downtime is unacceptable, and especially where public safety may be impacted, organizations must have a reliable backup available.”

The discovered vulnerabilities

Three of the discovered flaws (CVE-2021-27462, CVE-2021-27466, CVE-2021-27470) are deserialization vulnerabilities that may allow an unauthenticated attacker to remotely execute arbitrary code in FactoryTalk AssetCentre, and one (CVE-2021-27460) is a similar flaw that may allow an unauthenticated local attacker to gain full access to the FactoryTalk AssetCentre main server and agent machines and remotely execute code.

Three flaws (CVE-2021-27472, CVE-2021-27468, CVE-2021-27464) are SQL Injection vulnerabilities in service funtions that may enable a remote unauthenticated attacker to execute SQL statements.

Of the remaining two, CVE-2021-27476 is a flaw that may allow a remote unauthenticated attacker to inject commands into the OS (i.e., to run arbitrary code in FactoryTalk AssetCentre), and CVE-2021-27474 is caused by an improper restriction of IIS remoting services functions and may allow a remote, unauthenticated attacker to modify or expose sensitive data in FactoryTalk AssetCentre.

All of these affect FactoryTalk AssetCentre v10 and earlier.

“Rockwell Automation encourages users of the affected versions of FactoryTalk AssetCentre to update to AssetCentre v11 (or above) to addresses these vulnerabilities,” the U.S. Cybersecurity and Infrastructure Security Agency pointed out.

“As an additional mitigation, Rockwell Automation encourages users who are unable to upgrade or are concerned about unauthorized client connections to use built in security features found within FactoryTalk AssetCentre.”

Configuring IPSec for secure communication can partially mitigate these flaws, but implementing the update is a much more effective defense.