Severity:
High,
Medium
Advisory ID:
PN1627
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2023-2639,
CVE-2023-2637,
CVE-2023-2638
Summary
FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version |
| FactoryTalk® Services Platform * Only if the following were installed:
| 6.11.00 | 6.30.00 |
Vulnerability Details
Rockwell Automation received a report from Claroty regarding three vulnerabilities in FactoryTalk® System Services. If successfully exploited, these vulnerabilities may result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-2637 IMPACT
Hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk® Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.
Known Exploited Vulnerability (KEV) database:
CVE-2023-2638 IMPACT
Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.
Known Exploited Vulnerability (KEV) database:
CVE-2023-2639 IMPACT
Origin validation error may lead to information disclosure. The underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk® Policy Manager is installed and potentially the entire security policy. User interaction is required for this vulnerability to be successfully exploited.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-2637 IMPACT
Hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk® Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.
CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic KeyKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-2638 IMPACT
Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper AuthenticationKnown Exploited Vulnerability (KEV) database:
NoCVE-2023-2639 IMPACT
Origin validation error may lead to information disclosure. The underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk® Policy Manager is installed and potentially the entire security policy. User interaction is required for this vulnerability to be successfully exploited.
CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation ErrorKnown Exploited Vulnerability (KEV) database:
NoCustomers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
CVE-2023-2638 JSON
CVE-2023-2639 JSON
- Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Additionally, we encourage the customer to implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.
Additional Resources
CVE-2023-2637 JSONCVE-2023-2638 JSON
CVE-2023-2639 JSON
Copyright ©2022 Rockwell Automation, Inc.