CVE-2021-27468
📋 TL;DR
This critical vulnerability in Rockwell Automation FactoryTalk AssetCentre allows remote, unauthenticated attackers to execute arbitrary SQL statements via the AosService.rem service. Organizations using FactoryTalk AssetCentre v10.00 and earlier are affected, potentially exposing sensitive industrial control system data and configurations.
💻 Affected Systems
- Rockwell Automation FactoryTalk AssetCentre
📦 What is this software?
Factorytalk Assetcentre by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FactoryTalk AssetCentre database, allowing data theft, manipulation, or deletion, potentially leading to operational disruption in industrial environments.
Likely Case
Unauthorized access to sensitive asset management data, configuration information, and potential lateral movement within the industrial network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the vulnerable service.
🎯 Exploit Status
SQL injection via unauthenticated remote service makes exploitation straightforward for attackers with network access
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk AssetCentre v11.00 or later
Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130831
Restart Required: Yes
Instructions:
1. Download FactoryTalk AssetCentre v11.00 or later from Rockwell Automation support portal
2. Backup current configuration and database
3. Install the updated version following vendor documentation
4. Restart the system and verify service functionality
🔧 Temporary Workarounds
Network Segmentation and Firewall Rules
windowsRestrict access to the AosService.rem service (typically TCP port 8080) to only authorized management systems
Windows Firewall: New-NetFirewallRule -DisplayName "Block AosService" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Block
Disable Unnecessary Service
windowsTemporarily disable the AosService.rem service if not required for operations
sc stop AosService
sc config AosService start= disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FactoryTalk AssetCentre from untrusted networks
- Deploy application-level firewalls or WAFs with SQL injection detection rules
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk AssetCentre version via Control Panel > Programs and Features, or run: wmic product where "name like 'FactoryTalk AssetCentre%'" get versionCheck Version:
wmic product where "name like 'FactoryTalk AssetCentre%'" get versionVerify Fix Applied:
Verify version is v11.00 or later and test that AosService.rem requires proper authentication📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Failed authentication attempts to AosService.rem
- Unexpected remote connections to port 8080
Network Indicators:
- SQL injection patterns in traffic to port 8080
- Unusual database query volume from AssetCentre server
SIEM Query:
source="FactoryTalk" AND (event_id="SQL_INJECTION" OR port=8080 AND protocol="TCP" AND src_ip NOT IN [authorized_ips])🔗 References
- https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831
- https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01
- https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831
- https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01
