CVE-2020-27251 – A heap overflow vulnerability in FactoryTalk Li... (How to Fix)

Q: What is the severity of CVE-2020-27251?

CVE-2020-27251 has a CVSS score of 9.8 (CRITICAL). A heap overflow vulnerability in FactoryTalk Linx versions 6.11 and earlier allows remote, unauthenticated attackers to send malicious port ranges that could lead to remote code execution. This affects industrial control systems using Rockwell Automation's FactoryTalk Linx software for communication between devices.

📋 TL;DR

A heap overflow vulnerability in FactoryTalk Linx versions 6.11 and earlier allows remote, unauthenticated attackers to send malicious port ranges that could lead to remote code execution. This affects industrial control systems using Rockwell Automation's FactoryTalk Linx software for communication between devices.

💻 Affected Systems

Products:

FactoryTalk Linx

Versions: Version 6.11 and prior

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects FactoryTalk Linx communication software used in industrial control systems.

📦 What is this software?

Factorytalk Linx by Rockwellautomation

View all CVEs affecting Factorytalk Linx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote, unauthenticated attacker gains full control of the affected system, potentially compromising industrial processes and safety systems.

🟠

Likely Case

Remote code execution leading to system compromise, data theft, or disruption of industrial operations.

🟢

If Mitigated

Denial of service or system instability if exploit attempts are blocked but successful execution is prevented.

🌐 Internet-Facing: HIGH - Vulnerability is remotely exploitable without authentication, making internet-exposed systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, unauthenticated network access could lead to compromise of critical industrial systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Vulnerability is remotely exploitable without authentication, making it high risk despite lack of public proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.12 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130565

Restart Required: Yes

Instructions:

1. Download FactoryTalk Linx version 6.12 or later from Rockwell Automation. 2. Install the update following vendor instructions. 3. Restart affected systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk Linx systems from untrusted networks using firewalls and network segmentation.

Port Restriction

all

Restrict access to FactoryTalk Linx ports (typically 44818, 2222) to only trusted systems.

🧯 If You Can't Patch

Implement strict network segmentation to isolate FactoryTalk Linx systems
Deploy intrusion detection systems to monitor for exploit attempts on FactoryTalk ports

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Linx version in Control Panel > Programs and Features (Windows) or via vendor documentation.

Check Version:

Not applicable - check through Windows Programs and Features or vendor tools

Verify Fix Applied:

Verify installed version is 6.12 or later and check that patch installation completed successfully.

📡 Detection & Monitoring

Log Indicators:

Unusual network traffic to FactoryTalk ports (44818, 2222)
System crashes or instability in FactoryTalk services

Network Indicators:

Malformed packets to FactoryTalk ports
Unexpected connections to FactoryTalk services from untrusted sources

SIEM Query:

source_port=44818 OR source_port=2222 AND (malformed_packet=TRUE OR protocol_violation=TRUE)

📊 Metadata

CVE ID: CVE-2020-27251

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: November 26, 2020

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-329-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-27251, you might also want to check these: