CVE-2021-27464 – This critical vulnerability in Rockwell Automat... (How to Fix)

Q: What is the severity of CVE-2021-27464?

CVE-2021-27464 has a CVSS score of 10.0 (CRITICAL). This critical vulnerability in Rockwell Automation FactoryTalk AssetCentre allows remote, unauthenticated attackers to execute arbitrary SQL statements due to missing authentication in the ArchiveService.rem service. Organizations using FactoryTalk AssetCentre v10.00 and earlier are affected, potentially exposing sensitive industrial control system data and configurations.

📋 TL;DR

This critical vulnerability in Rockwell Automation FactoryTalk AssetCentre allows remote, unauthenticated attackers to execute arbitrary SQL statements due to missing authentication in the ArchiveService.rem service. Organizations using FactoryTalk AssetCentre v10.00 and earlier are affected, potentially exposing sensitive industrial control system data and configurations.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: v10.00 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of FactoryTalk AssetCentre v10.00 and earlier; the vulnerable ArchiveService.rem service is enabled by default.

📦 What is this software?

Factorytalk Assetcentre by Rockwellautomation

View all CVEs affecting Factorytalk Assetcentre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the FactoryTalk AssetCentre database, allowing data theft, manipulation of industrial control configurations, and potential lateral movement to operational technology networks.

🟠

Likely Case

Unauthorized access to sensitive asset management data, configuration files, and potential credential harvesting from the database.

🟢

If Mitigated

Limited impact with proper network segmentation and authentication controls preventing external access to the vulnerable service.

🌐 Internet-Facing: HIGH - Direct remote exploitation possible without authentication, making internet-exposed systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, the lack of authentication allows any network-connected attacker to exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via unauthenticated remote service makes exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk AssetCentre v11.00 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130831

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre v11.00 or later from Rockwell Automation support portal. 2. Backup current configuration and database. 3. Install the updated version following vendor documentation. 4. Restart the FactoryTalk AssetCentre services.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

windows

Restrict network access to the FactoryTalk AssetCentre server and block access to the ArchiveService.rem service port (typically TCP 4343).

netsh advfirewall firewall add rule name="Block FactoryTalk ArchiveService" dir=in action=block protocol=TCP localport=4343

Disable Vulnerable Service

windows

Stop and disable the ArchiveService.rem service if not required for operations.

sc stop "FactoryTalk AssetCentre Archive Service"
sc config "FactoryTalk AssetCentre Archive Service" start= disabled

🧯 If You Can't Patch

Implement strict network segmentation to isolate FactoryTalk AssetCentre from untrusted networks
Deploy application-level firewalls or web application firewalls to monitor and block SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk AssetCentre version via Control Panel > Programs and Features. If version is 10.00 or earlier, the system is vulnerable.

Check Version:

wmic product where "name like 'FactoryTalk AssetCentre%'" get version

Verify Fix Applied:

Verify installation of FactoryTalk AssetCentre v11.00 or later and confirm the ArchiveService.rem service requires proper authentication.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in FactoryTalk AssetCentre logs
Failed authentication attempts to ArchiveService.rem
Unexpected database connections or modifications

Network Indicators:

Unusual traffic to TCP port 4343
SQL injection patterns in network traffic to FactoryTalk AssetCentre

SIEM Query:

source="FactoryTalk" AND (event_id=4625 OR sql_injection_patterns) OR dest_port=4343 AND (sql_keywords OR unusual_payload_size)

📊 Metadata

CVE ID: CVE-2021-27464

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

CWE: CWE-89

Published: March 23, 2022

Last Updated: November 21, 2024

🔗 References

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Third Party Advisory,US Government Resource
https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27464, you might also want to check these: