CVE-2021-27472 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2021-27472?

CVE-2021-27472 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary SQL statements against Rockwell Automation FactoryTalk AssetCentre databases. It affects all versions up to v10.00, potentially compromising industrial control system asset management data and operations.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary SQL statements against Rockwell Automation FactoryTalk AssetCentre databases. It affects all versions up to v10.00, potentially compromising industrial control system asset management data and operations.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: v10.00 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the SearchService component's RunSearch function. FactoryTalk AssetCentre is typically deployed in industrial control environments.

📦 What is this software?

Factorytalk Assetcentre by Rockwellautomation

View all CVEs affecting Factorytalk Assetcentre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of FactoryTalk AssetCentre database leading to data theft, manipulation of industrial asset configurations, and potential lateral movement to connected industrial control systems.

🟠

Likely Case

Unauthorized access to sensitive asset information, configuration data exfiltration, and potential denial of service through database manipulation.

🟢

If Mitigated

Limited impact if network segmentation prevents external access and proper authentication controls are in place.

🌐 Internet-Facing: HIGH - Unauthenticated remote SQL injection allows direct exploitation from internet-facing systems.

🏢 Internal Only: HIGH - Even internally, unauthenticated SQL injection can be exploited by any network-connected attacker.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The unauthenticated nature and CVSS 10.0 score make this particularly attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.01 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130831

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre v10.01 or later from Rockwell Automation support portal. 2. Backup current configuration and database. 3. Run installer with administrative privileges. 4. Restart services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk AssetCentre servers from untrusted networks and internet access.

Firewall Rules

all

Restrict access to FactoryTalk AssetCentre ports (typically 443/HTTPS) to authorized IP addresses only.

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to FactoryTalk AssetCentre servers
Deploy web application firewall (WAF) with SQL injection protection rules in front of the service

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk AssetCentre version in Control Panel > Programs and Features. Versions 10.00 or earlier are vulnerable.

Check Version:

wmic product where name="FactoryTalk AssetCentre" get version

Verify Fix Applied:

Verify version is 10.01 or later and test search functionality to ensure SQL injection attempts are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in database logs
Multiple failed authentication attempts followed by search requests
Unexpected database schema changes or data exports

Network Indicators:

SQL injection patterns in HTTP POST requests to SearchService endpoints
Unusual outbound database connections from FactoryTalk servers

SIEM Query:

source="FactoryTalk" AND (url="*RunSearch*" AND (payload="*' OR *" OR payload="*;--*" OR payload="*UNION*"))

📊 Metadata

CVE ID: CVE-2021-27472

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

CWE: CWE-89

Published: March 23, 2022

Last Updated: November 21, 2024

🔗 References

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Mitigation,Third Party Advisory,US Government Resource
https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27472, you might also want to check these: