CVE-2021-32960
📋 TL;DR
CVE-2021-32960 is an authentication bypass vulnerability in Rockwell Automation FactoryTalk Services Platform that allows authenticated remote attackers to bypass FactoryTalk Security policies based on computer names. This could grant attackers the same privileges as if they were logged onto the client machine. Affected systems include FactoryTalk Services Platform v6.11 and earlier with FactoryTalk Security enabled and deployed.
💻 Affected Systems
- Rockwell Automation FactoryTalk Services Platform
📦 What is this software?
Factorytalk Services Platform by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control over industrial control systems, potentially allowing disruption of operations, data theft, or physical damage to industrial processes.
Likely Case
An authenticated attacker elevates privileges to access restricted systems, modify configurations, or exfiltrate sensitive industrial data.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated systems with minimal operational disruption.
🎯 Exploit Status
Exploitation requires authenticated access but is considered low complexity once authentication is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk Services Platform v6.12 or later
Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131785
Restart Required: Yes
Instructions:
1. Download FactoryTalk Services Platform v6.12 or later from Rockwell Automation. 2. Follow Rockwell Automation's upgrade procedures. 3. Restart affected systems after installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FactoryTalk Services Platform systems from untrusted networks and implement strict access controls.
Disable FactoryTalk Security
windowsTemporarily disable FactoryTalk Security if not required, though this reduces overall security.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks.
- Enforce least privilege access controls and monitor for unusual authentication patterns.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk Services Platform version in Control Panel > Programs and Features. If version is 6.11 or earlier and FactoryTalk Security is enabled, the system is vulnerable.Check Version:
wmic product where name like "FactoryTalk Services Platform" get versionVerify Fix Applied:
Verify FactoryTalk Services Platform version is 6.12 or later in Control Panel > Programs and Features.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts from unexpected computer names
- Access to restricted resources by users with unexpected privileges
Network Indicators:
- Unexpected network traffic to FactoryTalk Services Platform ports (typically 4000-4002)
- Authentication requests from unauthorized systems
SIEM Query:
source="FactoryTalk" AND (event_id=4624 OR event_id=4625) AND computer_name NOT IN (allowed_computer_list)