CVE-2021-38469 – This vulnerability allows DLL hijacking through... (How to Fix)

Q: What is the severity of CVE-2021-38469?

CVE-2021-38469 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows DLL hijacking through uncontrolled search paths in industrial control systems. Attackers can place malicious DLLs in directories searched by vulnerable services, leading to arbitrary code execution. Affects Rockwell Automation FactoryTalk Services Platform and related products.

📋 TL;DR

This vulnerability allows DLL hijacking through uncontrolled search paths in industrial control systems. Attackers can place malicious DLLs in directories searched by vulnerable services, leading to arbitrary code execution. Affects Rockwell Automation FactoryTalk Services Platform and related products.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Services Platform
FactoryTalk Linx
RSLinx Classic
FactoryTalk View SE
FactoryTalk View ME Station

Versions: Multiple versions up to and including v6.11.00

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where FactoryTalk Services Platform is installed. Industrial control systems in manufacturing, energy, and critical infrastructure sectors.

📦 What is this software?

Versiondog by Auvesy

View all CVEs affecting Versiondog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, enabling industrial sabotage, data theft, or ransomware deployment on critical infrastructure.

🟠

Likely Case

Local privilege escalation leading to persistent access, lateral movement within OT networks, and disruption of industrial processes.

🟢

If Mitigated

Limited impact with proper file permissions, application whitelisting, and network segmentation preventing DLL placement and execution.

🌐 Internet-Facing: LOW - Typically requires local access or network foothold, not directly exploitable over internet.

🏢 Internal Only: HIGH - Critical for OT/ICS environments where attackers with internal access can cause severe operational disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires local access or ability to place files on target system. DLL hijacking is well-understood attack vector with available tooling.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk Services Platform v6.11.01 and later

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1652.html

Restart Required: Yes

Instructions:

1. Download FactoryTalk Services Platform v6.11.01 or later from Rockwell Automation website. 2. Stop all FactoryTalk services. 3. Install update following vendor instructions. 4. Restart system and verify services are running.

🔧 Temporary Workarounds

Restrict DLL search paths

windows

Use Windows policies to restrict DLL search order and prevent loading from current directory

Set registry key: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode = 1
Set CWDIllegalInDllSearch registry key to appropriate value for your environment

File permission hardening

windows

Restrict write permissions to directories where FactoryTalk binaries are located

icacls "C:\Program Files\Rockwell Software\FactoryTalk Services\" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\Rockwell Software\FactoryTalk Services\" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Implement strict application whitelisting to prevent unauthorized DLL execution
Segment OT networks from IT networks and restrict access to FactoryTalk systems

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Services Platform version via Control Panel > Programs and Features. Versions 6.11.00 and earlier are vulnerable.

Check Version:

wmic product where "name like 'FactoryTalk%'" get name, version

Verify Fix Applied:

Verify installed version is 6.11.01 or later. Check that DLL search path vulnerabilities are mitigated via Process Monitor or similar tools.

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 4688 showing DLL loading from unexpected directories
Sysmon Event ID 7 (Image loaded) showing DLLs loaded from non-standard paths

Network Indicators:

Unusual outbound connections from FactoryTalk services
Lateral movement attempts from FactoryTalk systems

SIEM Query:

source="windows" AND (event_id=4688 OR event_id=7) AND process_name="*FactoryTalk*" AND (file_path="*.\*" OR file_path="*\Temp\*")

📊 Metadata

CVE ID: CVE-2021-38469

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-427

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38469, you might also want to check these: