CVE-2021-42536 – CVE-2021-42536 allows unauthorized users to rea... (How to Fix)

Q: What is the severity of CVE-2021-42536?

CVE-2021-42536 has a CVSS score of 8.0 (HIGH). CVE-2021-42536 allows unauthorized users to read sensitive global variables containing peer username and password credentials. This affects systems running vulnerable versions of the affected product where improper access controls expose these variables to all authenticated users.

📋 TL;DR

CVE-2021-42536 allows unauthorized users to read sensitive global variables containing peer username and password credentials. This affects systems running vulnerable versions of the affected product where improper access controls expose these variables to all authenticated users.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Linx

Versions: All versions prior to 6.11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects FactoryTalk Linx software components that manage communication with peer devices.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative credentials leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Unauthorized users access sensitive credentials, potentially compromising peer systems and exposing authentication information.

🟢

If Mitigated

Limited exposure with proper access controls preventing unauthorized variable access, reducing risk to credential disclosure only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but minimal technical skill to read exposed variables.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk Linx version 6.11

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1133605

Restart Required: Yes

Instructions:

1. Download FactoryTalk Linx version 6.11 from Rockwell Automation website. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems.

🔧 Temporary Workarounds

Restrict User Access

all

Limit user accounts to only those requiring access to FactoryTalk Linx components.

Network Segmentation

all

Isolate FactoryTalk Linx systems from untrusted networks and users.

🧯 If You Can't Patch

Implement strict access controls and least privilege principles for all user accounts
Monitor and audit access to FactoryTalk Linx systems for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Linx version in Control Panel > Programs and Features. If version is below 6.11, system is vulnerable.

Check Version:

wmic product where name like "FactoryTalk Linx%" get version

Verify Fix Applied:

Verify version is 6.11 or higher in Control Panel > Programs and Features.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful access
Unauthorized user accounts accessing FactoryTalk Linx services

Network Indicators:

Unusual network traffic patterns to/from FactoryTalk Linx systems
Credential harvesting attempts

SIEM Query:

source="FactoryTalk" AND (event_type="authentication" OR event_type="access_control") AND result="success" AND user NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2021-42536

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42536, you might also want to check these: