CVE-2020-14516 – CVE-2020-14516 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2020-14516?

CVE-2020-14516 has a CVSS score of 10.0 (CRITICAL). CVE-2020-14516 is a critical authentication bypass vulnerability in Rockwell Automation FactoryTalk Services Platform where SHA-256 password hashing fails, potentially allowing attackers to authenticate without valid credentials. This affects industrial control systems using FactoryTalk Services Platform versions 6.10.00 and 6.11.00. Organizations using these versions in their operational technology environments are at risk.

📋 TL;DR

CVE-2020-14516 is a critical authentication bypass vulnerability in Rockwell Automation FactoryTalk Services Platform where SHA-256 password hashing fails, potentially allowing attackers to authenticate without valid credentials. This affects industrial control systems using FactoryTalk Services Platform versions 6.10.00 and 6.11.00. Organizations using these versions in their operational technology environments are at risk.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Services Platform

Versions: 6.10.00 and 6.11.00

Operating Systems: Windows (typically Windows Server 2012/2016/2019)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of the specified versions regardless of configuration. FactoryTalk Services Platform is commonly used in industrial automation environments.

📦 What is this software?

Factorytalk Services Platform by Rockwellautomation

View all CVEs affecting Factorytalk Services Platform →

Factorytalk Services Platform by Rockwellautomation

View all CVEs affecting Factorytalk Services Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to operational disruption, safety incidents, or manipulation of physical processes.

🟠

Likely Case

Unauthorized access to FactoryTalk applications and services, potentially enabling data theft, configuration changes, or lateral movement within OT networks.

🟢

If Mitigated

Limited impact if systems are air-gapped, have strict network segmentation, and use defense-in-depth security controls.

🌐 Internet-Facing: HIGH if exposed to internet, as authentication bypass could allow remote attackers direct access.

🏢 Internal Only: HIGH due to potential for internal attackers or compromised devices to exploit the vulnerability within OT networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

While no public proof-of-concept exists, authentication bypass vulnerabilities in industrial systems are frequently targeted. Attackers would need network access to FactoryTalk services.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.12.00 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1127683

Restart Required: Yes

Instructions:

1. Download FactoryTalk Services Platform version 6.12.00 or later from Rockwell Automation support portal. 2. Backup current configuration and data. 3. Install the update following Rockwell's installation guide. 4. Restart affected systems and services. 5. Verify proper functionality of FactoryTalk applications.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk Services Platform systems from untrusted networks using firewalls and network segmentation.

Access Control Lists

all

Implement strict network access controls to limit connections to FactoryTalk services only from authorized systems.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from other networks
Deploy intrusion detection systems to monitor for authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Services Platform version in Control Panel > Programs and Features. If version is 6.10.00 or 6.11.00, system is vulnerable.

Check Version:

wmic product where "name like 'FactoryTalk%'" get version

Verify Fix Applied:

Verify installed version is 6.12.00 or later. Test authentication functionality with valid and invalid credentials.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Unusual authentication patterns
Access from unexpected IP addresses

Network Indicators:

Authentication requests to FactoryTalk services from unauthorized sources
Unusual traffic patterns to FactoryTalk ports

SIEM Query:

source="FactoryTalk" AND (event_type="authentication" AND result="success") FROM suspicious_ip_addresses

📊 Metadata

CVE ID: CVE-2020-14516

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-916

Published: March 18, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-054-01 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-054-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14516, you might also want to check these: