CVE-2021-38473 – This vulnerability allows attackers to trigger ... (How to Fix)

Q: What is the severity of CVE-2021-38473?

CVE-2021-38473 has a CVSS score of 8.0 (HIGH). This vulnerability allows attackers to trigger a stack overflow by manipulating function arguments in affected products, potentially leading to arbitrary code execution or denial of service. It affects industrial control systems and related software that use vulnerable code libraries. Organizations using these systems in critical infrastructure are particularly at risk.

📋 TL;DR

This vulnerability allows attackers to trigger a stack overflow by manipulating function arguments in affected products, potentially leading to arbitrary code execution or denial of service. It affects industrial control systems and related software that use vulnerable code libraries. Organizations using these systems in critical infrastructure are particularly at risk.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Linx software
Rockwell Automation RSLinx Classic

Versions: FactoryTalk Linx v6.00 through v6.11, RSLinx Classic v4.11.00 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using the vulnerable communication components for industrial automation.

📦 What is this software?

Versiondog by Auvesy

View all CVEs affecting Versiondog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, manipulation of industrial processes, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing system crashes or instability in industrial control environments.

🟢

If Mitigated

Limited impact with proper network segmentation and exploit mitigations in place.

🌐 Internet-Facing: HIGH - If vulnerable systems are exposed to untrusted networks, exploitation is straightforward.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No public exploit code available, but vulnerability is straightforward to exploit given the stack overflow nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk Linx v6.12 or later, RSLinx Classic v4.11.01 or later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131435

Restart Required: Yes

Instructions:

1. Download the updated software from Rockwell Automation's security advisory page. 2. Install the update following vendor instructions. 3. Restart affected systems to apply changes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks using firewalls and VLANs.

Disable Unnecessary Services

windows

Turn off FactoryTalk Linx or RSLinx Classic services if not required for operations.

sc stop "FactoryTalk Linx"
sc stop "RSLinx Classic"

🧯 If You Can't Patch

Implement strict network access controls to limit communication to trusted hosts only.
Deploy host-based intrusion prevention systems (HIPS) with stack overflow protection.

🔍 How to Verify

Check if Vulnerable:

Check installed version of FactoryTalk Linx or RSLinx Classic via Control Panel > Programs and Features.

Check Version:

wmic product where name like "FactoryTalk Linx%" get version

Verify Fix Applied:

Verify version is FactoryTalk Linx v6.12+ or RSLinx Classic v4.11.01+ after patching.

📡 Detection & Monitoring

Log Indicators:

Application crashes in FactoryTalk Linx or RSLinx Classic logs
Windows Event Log entries for application failures

Network Indicators:

Unusual traffic patterns to FactoryTalk Linx ports (typically 44818, 2222)
Malformed packets targeting industrial protocols

SIEM Query:

source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="FactoryTalkLinx.exe"

📊 Metadata

CVE ID: CVE-2021-38473

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-119

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38473, you might also want to check these: