FactoryTalk® Service Platform Service Token Vulnerability
Published Date: January 30, 2024
Last updated: March 5th, 2024 *Updated Mitigations and Workarounds*
Revision Number: 1.0
CVSS Score: 9.8/10
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
FactoryTalk® Service Platform |
<= v6.31 |
v6.40 or later |
Mitigations and Workarounds
Customers using the affected software should use risk mitigations and our suggested security best practices to minimize the risks.
Customers updating to v6.40 or later should do one of the following steps:
- Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.
- If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier, System Communication Type setting should not be altered from AUTO or DCOM.
Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Set both security policies Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.
Customers who are unable to update to v6.40 or later should apply the following:
- Set DCOM authentication level to 6. This enables encryption of the service token and communication channel between the server and client. Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
- When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk® Services APIs. This helps prevent a threat actor from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk® Administration Console application.
- Security Best Practices
SECURITY ISSUE DETAILS
Rockwell Automation used CVSS v3.1 scoring system to assess the following security issues.
CVE - 2024 21917 IMPACT
A security issue exists in the affected product. This allows a malicious user to obtain the service token and use it for authentication on another FactoryTalk® Service Platform (FTSP) directory. This is due to the lack of digital signing between the FTSP service token and directory. A threat actor could potentially retrieve user information and modify settings without any authentication.
CVSS Base Score: 9.8/10 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 347 Improper Verification of Cryptographic Signature
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.
ADDITIONAL RESOURCES
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
