CVE-2021-38477 – This vulnerability allows attackers to read, wr... (How to Fix)

Q: What is the severity of CVE-2021-38477?

CVE-2021-38477 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to read, write, manipulate, or delete files through insecure API functions in affected industrial control systems. It affects multiple Rockwell Automation FactoryTalk products used in critical infrastructure environments.

📋 TL;DR

This vulnerability allows attackers to read, write, manipulate, or delete files through insecure API functions in affected industrial control systems. It affects multiple Rockwell Automation FactoryTalk products used in critical infrastructure environments.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Linx
Rockwell Automation FactoryTalk Linx CommDTM

Versions: FactoryTalk Linx versions 6.00 through 6.11, FactoryTalk Linx CommDTM versions 1.00 through 1.02

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using the vulnerable API functions for file operations. Industrial control systems in manufacturing, energy, and critical infrastructure sectors are particularly at risk.

📦 What is this software?

Versiondog by Auvesy

View all CVEs affecting Versiondog →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to delete critical files, manipulate industrial processes, or install persistent malware leading to physical damage or production shutdown.

🟠

Likely Case

Unauthorized file access leading to data theft, configuration manipulation, or denial of service through file deletion.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Direct internet exposure would allow remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internal attackers or compromised systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple API calls, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk Linx version 6.12, FactoryTalk Linx CommDTM version 1.03

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1653.html

Restart Required: Yes

Instructions:

1. Download the updated versions from Rockwell Automation's website. 2. Install FactoryTalk Linx version 6.12 or higher. 3. Install FactoryTalk Linx CommDTM version 1.03 or higher. 4. Restart affected systems.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks using firewalls and VLANs.

Access Control Restrictions

all

Implement strict access controls to limit which systems can communicate with vulnerable APIs.

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems from untrusted networks
Deploy intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check installed versions of FactoryTalk Linx and FactoryTalk Linx CommDTM via Windows Programs and Features or using vendor-specific version checking tools.

Check Version:

Check via Windows Control Panel > Programs and Features or use Rockwell Automation's FactoryTalk AssetCentre for inventory.

Verify Fix Applied:

Verify that FactoryTalk Linx version is 6.12 or higher and FactoryTalk Linx CommDTM version is 1.03 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns via FactoryTalk APIs
Multiple failed or successful file operations from unexpected sources
Unauthorized API calls to file manipulation functions

Network Indicators:

Unexpected network traffic to FactoryTalk services on port 44818 or other configured ports
File operation requests from unauthorized IP addresses

SIEM Query:

source="FactoryTalk" AND (event_type="file_access" OR event_type="api_call") AND (src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2021-38477

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-73

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-292-01 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38477, you might also want to check these: