CVE-2021-27476 – This vulnerability allows remote, unauthenticat... (How to Fix)

Q: What is the severity of CVE-2021-27476?

CVE-2021-27476 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands on Rockwell Automation FactoryTalk AssetCentre systems. The command injection occurs in the SaveConfigFile function of the RACompare Service, potentially giving attackers full control over affected systems. Organizations running FactoryTalk AssetCentre v10.00 or earlier are affected.

📋 TL;DR

This vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands on Rockwell Automation FactoryTalk AssetCentre systems. The command injection occurs in the SaveConfigFile function of the RACompare Service, potentially giving attackers full control over affected systems. Organizations running FactoryTalk AssetCentre v10.00 or earlier are affected.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: v10.00 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default. The RACompare Service runs as part of FactoryTalk AssetCentre.

📦 What is this software?

Factorytalk Assetcentre by Rockwellautomation

View all CVEs affecting Factorytalk Assetcentre →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive industrial data, disrupt operations, or pivot to other critical infrastructure systems.

🟠

Likely Case

Attackers gain remote code execution to deploy ransomware, establish persistence, or exfiltrate sensitive industrial control system data.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the isolated AssetCentre system without affecting production environments.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-exposed systems extremely vulnerable to automated attacks.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to unauthenticated attackers who gain network access through phishing or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with publicly available proof-of-concept code. Remote unauthenticated access makes it attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk AssetCentre v10.01 and later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1130831

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre v10.01 or later from Rockwell Automation's website. 2. Backup current configuration and data. 3. Install the updated version following vendor instructions. 4. Restart the system to apply changes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk AssetCentre systems from untrusted networks and internet access

Configure firewall rules to block inbound traffic to TCP ports used by FactoryTalk AssetCentre (default ports vary by installation)

Service Restriction

windows

Disable or restrict access to the RACompare Service if not required

Windows Firewall: netsh advfirewall firewall add rule name="Block RACompare" dir=in action=block protocol=TCP localport=[PORT_NUMBER]
Service Control: sc config "FactoryTalk AssetCentre RACompare Service" start= disabled

🧯 If You Can't Patch

Implement strict network segmentation to isolate AssetCentre systems from production networks and internet
Deploy application whitelisting to prevent execution of unauthorized commands and binaries

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk AssetCentre version in Control Panel > Programs and Features. Versions 10.00 or earlier are vulnerable.

Check Version:

wmic product where name="FactoryTalk AssetCentre" get version

Verify Fix Applied:

Verify installation of v10.01 or later and ensure the RACompare Service is updated. Check vendor patch notes for specific fixes applied.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in Windows Event Logs (Event ID 4688)
Suspicious process creation by the RACompare Service
Failed authentication attempts followed by successful command execution

Network Indicators:

Unusual outbound connections from AssetCentre systems
Traffic to known malicious IPs or domains
Anomalous patterns in RACompare Service communications

SIEM Query:

source="windows" AND (process_name="cmd.exe" OR process_name="powershell.exe") AND parent_process="RACompareService.exe"

📊 Metadata

CVE ID: CVE-2021-27476

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

CWE: CWE-78

Published: March 23, 2022

Last Updated: November 21, 2024

🔗 References

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Mitigation,Third Party Advisory,US Government Resource
https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1130831 Permissions Required,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-091-01 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27476, you might also want to check these: