Security Experts:

Rockwell Automation Patches Serious Flaw in FactoryTalk Product

ICS-CERT informed organizations this week that Rockwell Automation has patched a high severity denial-of-service (DoS) vulnerability in one of its FactoryTalk products.

The vulnerability affects version 2.90 and earlier of FactoryTalk Alarms and Events (FTAE), a FactoryTalk Services Platform component installed by the Studio 5000 Logix Designer PLC programming and configuration tool, and the FactoryTalk View SE HMI software.

FTAE provides a consistent view of alarms and events via a View SE HMI system. The product is used worldwide in sectors such as critical infrastructure, entertainment, automotive, food and beverage, and water and wastewater.

The security hole, reported to Rockwell Automation by an unnamed company in the oil and gas sector, is tracked as CVE-2017-14022 and it has been assigned a CVSS score of 7.5. It allows an unauthenticated attacker with remote access to the product to cause its history archiver service to stall or terminate by sending specially crafted packets to TCP port 403.

“The history archiver service of FactoryTalk Alarms and Events is used to archive alarms and events to a Microsoft SQL Server database. Disrupting this capability can result in a loss of information, the criticality of which depends on the type of environment that the product is used in. The service must be restarted in order to restore operation,” Rockwell Automation said in an advisory published last month.

The vulnerability was addressed with the release of a patch for FactoryTalk Alarms and Events 2.90. Users of version 2.81 and earlier have been advised to update to version 2.90 and then apply the patch.

Alternatively, attacks can be mitigated by disabling TCP port 403. This port is typically used to log alarms and events via the historian service to a specified SQL Server database. However, if the historian and the FTAE services are on the same machine, port 403 is not needed as the information is logged to the local host. If the two services are on different machines, port 403 is needed and the mitigation cannot be applied.

Related: High Severity Flaws Patched in Rockwell Automation Tools

Related: Cisco IOS Flaws Expose Rockwell Industrial Switches to Remote Attacks

Related: Rockwell Updates Stratix Routers to Patch Cisco IOS Flaws

Related: Several Vulnerabilities Found in Rockwell Automation PLCs

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.