CVE-2021-38461 – This vulnerability involves hard-coded Blowfish... (How to Fix)

Q: What is the severity of CVE-2021-38461?

CVE-2021-38461 has a CVSS score of 8.2 (HIGH). This vulnerability involves hard-coded Blowfish encryption keys in industrial control systems, allowing attackers to decrypt sensitive data and potentially manipulate system operations. It affects users of Rockwell Automation FactoryTalk Linx software versions 6.11 and earlier.

📋 TL;DR

This vulnerability involves hard-coded Blowfish encryption keys in industrial control systems, allowing attackers to decrypt sensitive data and potentially manipulate system operations. It affects users of Rockwell Automation FactoryTalk Linx software versions 6.11 and earlier.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Linx

Versions: Versions 6.11 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of vulnerable versions; the hard-coded key is embedded in the software binaries.

📦 What is this software?

Versiondog by Auvesy

View all CVEs affecting Versiondog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing unauthorized control of industrial processes, data theft, and potential safety incidents in critical infrastructure.

🟠

Likely Case

Unauthorized access to sensitive configuration data, credential theft, and potential manipulation of industrial control communications.

🟢

If Mitigated

Limited impact if systems are air-gapped, have strict network segmentation, and use additional authentication layers.

🌐 Internet-Facing: HIGH - Any internet-exposed system with this vulnerability can be easily exploited due to the hard-coded key being extractable from binaries.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to affected systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires extracting the hard-coded key from binaries and intercepting/decrypting communications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk Linx version 6.12 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435

Restart Required: Yes

Instructions:

1. Download FactoryTalk Linx version 6.12 or later from Rockwell Automation website. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks to prevent key extraction and communication interception.

Encryption Layer

all

Implement additional encryption (TLS/SSL) for all communications involving FactoryTalk Linx.

🧯 If You Can't Patch

Implement strict network access controls to limit communication to only trusted systems
Monitor network traffic for unusual decryption attempts or unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Linx version via Control Panel > Programs and Features (Windows) or using vendor diagnostic tools.

Check Version:

wmic product where name="FactoryTalk Linx" get version

Verify Fix Applied:

Verify installation of version 6.12 or later and confirm no hard-coded keys are present in updated binaries.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts, unusual network connections to FactoryTalk Linx services

Network Indicators:

Unencrypted or suspiciously encrypted traffic to/from FactoryTalk Linx ports (typically 44818, 2222)

SIEM Query:

source="FactoryTalk" AND (event_type="authentication_failure" OR dest_port IN (44818, 2222))

📊 Metadata

CVE ID: CVE-2021-38461

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-321

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38461, you might also want to check these: