CVE-2021-42539 – This vulnerability allows attackers to restore ... (How to Fix)

Q: What is the severity of CVE-2021-42539?

CVE-2021-42539 has a CVSS score of 8.0 (HIGH). This vulnerability allows attackers to restore system backups without proper permission validation, potentially leading to account takeover and unauthorized settings changes. It affects systems using the vulnerable backup/restore functionality, particularly in industrial control environments.

📋 TL;DR

This vulnerability allows attackers to restore system backups without proper permission validation, potentially leading to account takeover and unauthorized settings changes. It affects systems using the vulnerable backup/restore functionality, particularly in industrial control environments.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk AssetCentre

Versions: Versions prior to 10.00.00.09

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with backup/restore functionality enabled. Industrial control systems using FactoryTalk AssetCentre are particularly vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative account takeover, unauthorized configuration changes, and potential disruption of industrial processes.

🟠

Likely Case

Unauthorized settings modification leading to system misconfiguration, data integrity issues, and potential operational impact.

🟢

If Mitigated

Limited impact with proper access controls and network segmentation preventing unauthorized backup restore attempts.

🌐 Internet-Facing: MEDIUM - Systems exposed to internet could be targeted, but exploitation requires specific backup/restore access.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts could exploit this to gain elevated privileges and modify critical settings.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of system access but doesn't need administrative privileges initially. The vulnerability is in the backup restore process permission validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk AssetCentre v10.00.00.09 and later

Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1133605

Restart Required: Yes

Instructions:

1. Download FactoryTalk AssetCentre v10.00.00.09 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the system. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Backup/Restore Access

windows

Limit user permissions for backup and restore operations to only authorized administrators.

Configure Windows permissions to restrict access to backup/restore directories and functions

Network Segmentation

all

Isolate FactoryTalk AssetCentre systems from untrusted networks and implement strict firewall rules.

Configure firewall to allow only necessary ports and protocols for authorized systems

🧯 If You Can't Patch

Implement strict access controls and principle of least privilege for all users
Monitor backup/restore activities and implement alerting for unauthorized attempts

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk AssetCentre version. If version is below 10.00.00.09, the system is vulnerable.

Check Version:

Check version in FactoryTalk AssetCentre application or Windows Programs and Features

Verify Fix Applied:

Verify installed version is 10.00.00.09 or later and test backup/restore functionality with non-admin accounts.

📡 Detection & Monitoring

Log Indicators:

Unauthorized backup restore attempts
Changes to user permissions or system settings from non-admin accounts
Failed authentication attempts followed by backup operations

Network Indicators:

Unusual network traffic to backup storage locations
Unexpected connections to FactoryTalk AssetCentre backup ports

SIEM Query:

source="FactoryTalk" AND (event_type="backup_restore" OR event_type="permission_change") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2021-42539

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: October 22, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-278-02 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42539, you might also want to check these: