CVE-2021-27474 – This vulnerability in Rockwell Automation Facto... (How to Fix)

Q: What is the severity of CVE-2021-27474?

CVE-2021-27474 has a CVSS score of 10.0 (CRITICAL). This vulnerability in Rockwell Automation FactoryTalk AssetCentre allows remote, unauthenticated attackers to modify sensitive data by exploiting insufficient restrictions on IIS remoting services. It affects FactoryTalk AssetCentre v10.00 and earlier versions. Organizations using these versions in industrial control systems are at risk.

📋 TL;DR

This vulnerability in Rockwell Automation FactoryTalk AssetCentre allows remote, unauthenticated attackers to modify sensitive data by exploiting insufficient restrictions on IIS remoting services. It affects FactoryTalk AssetCentre v10.00 and earlier versions. Organizations using these versions in industrial control systems are at risk.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: v10.00 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of FactoryTalk AssetCentre v10.00 and earlier. Industrial control systems using this software are particularly vulnerable.

📦 What is this software?

Factorytalk Assetcentre by Rockwellautomation

View all CVEs affecting Factorytalk Assetcentre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems, unauthorized modification of critical operational data, potential disruption of manufacturing processes, and safety system manipulation.

🟠

Likely Case

Unauthorized data modification in FactoryTalk AssetCentre, potential configuration changes affecting asset management, and possible lateral movement within industrial networks.

🟢

If Mitigated

Limited impact with proper network segmentation, but still poses risk to isolated systems if exploited internally.

🌐 Internet-Facing: HIGH - Directly exploitable by remote attackers without authentication when exposed to internet.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation is possible within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 10.0 indicates trivial exploitation with maximum impact. No public PoC known but weaponization is likely given the critical nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk AssetCentre v10.01 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130831

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre v10.01 or later from Rockwell Automation support portal. 2. Backup current configuration and data. 3. Install the updated version following vendor instructions. 4. Restart the system and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk AssetCentre systems from untrusted networks and implement strict firewall rules.

IIS Service Restriction

windows

Configure IIS to restrict access to remoting services to authorized IP addresses only.

netsh advfirewall firewall add rule name="Block FactoryTalk IIS" dir=in action=block protocol=TCP localport=80,443 remoteip=any

🧯 If You Can't Patch

Implement strict network segmentation and zero-trust architecture around FactoryTalk AssetCentre systems
Deploy intrusion detection systems and monitor for unauthorized access attempts to IIS remoting services

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk AssetCentre version in Control Panel > Programs and Features. Versions 10.00 or earlier are vulnerable.

Check Version:

wmic product where name="FactoryTalk AssetCentre" get version

Verify Fix Applied:

Verify installation of FactoryTalk AssetCentre v10.01 or later and confirm IIS remoting service restrictions are properly configured.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to IIS remoting services in Windows Event Logs
Unexpected modifications to FactoryTalk AssetCentre configuration files

Network Indicators:

Unusual traffic patterns to FactoryTalk AssetCentre IIS services on ports 80/443
Unauthorized remote connections to asset management systems

SIEM Query:

source="windows" AND (event_id=4625 OR event_id=4648) AND process_name="w3wp.exe" AND destination_port IN (80, 443)

📊 Metadata

CVE ID: CVE-2021-27474

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

CWE: CWE-676

Published: March 23, 2022

Last Updated: November 21, 2024

🔗 References

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Third Party Advisory,US Government Resource
https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27474, you might also want to check these: