CVE-2023-2637
📋 TL;DR
This vulnerability in Rockwell Automation's FactoryTalk System Services allows local authenticated non-admin users to generate administrator cookies using a hard-coded cryptographic key, leading to privilege escalation. It affects systems using FactoryTalk Policy Manager, potentially enabling malicious database changes that deploy when legitimate users apply security policies. User interaction is required for successful exploitation.
💻 Affected Systems
- Rockwell Automation FactoryTalk System Services
📦 What is this software?
Factorytalk Policy Manager by Rockwellautomation
Factorytalk System Services by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrative privileges, modifies the FactoryTalk Policy Manager database to deploy malicious security policies, compromising industrial control system integrity and safety.
Likely Case
A malicious insider or compromised account escalates privileges to make unauthorized changes to security policies, disrupting operations or enabling further attacks.
If Mitigated
With strict access controls and monitoring, impact is limited to isolated incidents with quick detection and remediation.
🎯 Exploit Status
Exploitation involves manipulating cookies; no public proof-of-concept known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Rockwell Automation advisory for specific patched versions.
Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139683
Restart Required: Yes
Instructions:
1. Review the vendor advisory for affected versions. 2. Download and apply the official patch from Rockwell Automation. 3. Restart the affected systems as required. 4. Verify the patch installation.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local authenticated access to FactoryTalk System Services to trusted users only.
Monitor User Activity
allImplement logging and monitoring for unusual administrative cookie generation or policy changes.
🧯 If You Can't Patch
- Enforce least privilege access controls to minimize the number of local authenticated users.
- Increase monitoring for suspicious activities related to FactoryTalk Policy Manager database changes.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of FactoryTalk System Services against the vendor advisory to see if it's in the affected range.Check Version:
Use the Rockwell Automation software management tools or check the application properties in Windows to determine the version.Verify Fix Applied:
After patching, verify the version has been updated to a patched release as specified in the vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Log entries showing unauthorized administrative cookie generation or unexpected policy changes in FactoryTalk Policy Manager.
Network Indicators:
- Unusual network traffic from local users to FactoryTalk services indicating privilege escalation attempts.
SIEM Query:
Example: search for event logs from FactoryTalk System Services with keywords like 'admin cookie' or 'policy change' from non-admin users.