CVE-2021-38457 – CVE-2021-38457 allows attackers to establish se... (How to Fix)

Q: What is the severity of CVE-2021-38457?

CVE-2021-38457 has a CVSS score of 9.8 (CRITICAL). CVE-2021-38457 allows attackers to establish sessions with vulnerable servers without providing any authentication credentials. This affects industrial control systems using Rockwell Automation FactoryTalk Linx software, potentially enabling unauthorized access to critical infrastructure.

📋 TL;DR

CVE-2021-38457 allows attackers to establish sessions with vulnerable servers without providing any authentication credentials. This affects industrial control systems using Rockwell Automation FactoryTalk Linx software, potentially enabling unauthorized access to critical infrastructure.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Linx

Versions: All versions prior to 6.11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects FactoryTalk Linx communication servers in industrial control environments.

📦 What is this software?

Versiondog by Auvesy

View all CVEs affecting Versiondog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems allowing attackers to manipulate processes, cause physical damage, or disrupt critical infrastructure operations.

🟠

Likely Case

Unauthorized access to industrial control networks enabling data theft, reconnaissance, or disruption of manufacturing processes.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.

🌐 Internet-Facing: HIGH - Direct internet exposure allows complete unauthenticated access to industrial control systems.

🏢 Internal Only: HIGH - Even internally, lack of authentication allows any network user to access critical systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No authentication required makes exploitation trivial for any network-accessible system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk Linx version 6.11

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1658.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk Linx version 6.11 from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk Linx servers from untrusted networks using firewalls and VLANs.

Access Control Lists

all

Implement strict network access controls to limit connections to FactoryTalk Linx servers.

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems from all untrusted networks.
Deploy intrusion detection systems to monitor for unauthorized access attempts to FactoryTalk Linx services.

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Linx version in Control Panel > Programs and Features. Versions below 6.11 are vulnerable.

Check Version:

wmic product where name='FactoryTalk Linx' get version

Verify Fix Applied:

Verify version is 6.11 or higher and test that authentication is required for server connections.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated connection attempts to FactoryTalk Linx ports
Multiple failed authentication attempts if logging enabled

Network Indicators:

Unencrypted traffic to FactoryTalk Linx ports (44818, 2222)
Connections from unexpected IP addresses

SIEM Query:

source_port=44818 OR source_port=2222 AND NOT (user_authenticated=true)

📊 Metadata

CVE ID: CVE-2021-38457

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38457, you might also want to check these: