CVE-2023-2778
📋 TL;DR
A denial-of-service vulnerability in Rockwell Automation FactoryTalk Transaction Manager allows attackers to crash the application or cause high resource consumption by sending specially crafted packets to port 400. This affects organizations using FactoryTalk Transaction Manager in industrial control environments. The application requires restart to recover from the DoS condition.
💻 Affected Systems
- Rockwell Automation FactoryTalk Transaction Manager
📦 What is this software?
Factorytalk Transaction Manager by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash requiring manual restart, disrupting industrial operations that depend on FactoryTalk Transaction Manager for data exchange between systems.
Likely Case
Intermittent application functionality issues with high CPU/memory usage, causing performance degradation in industrial data transactions.
If Mitigated
No impact if network controls prevent access to port 400 or if the vulnerability is patched.
🎯 Exploit Status
Exploitation requires sending a modified packet to port 400 - no authentication needed. The specific packet structure hasn't been publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.31.00
Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139744
Restart Required: Yes
Instructions:
1. Download FactoryTalk Transaction Manager version 2.31.00 from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart the application/service.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict access to port 400/TCP using firewall rules to only trusted systems
Windows Firewall: New-NetFirewallRule -DisplayName "Block FactoryTalk Port 400" -Direction Inbound -LocalPort 400 -Protocol TCP -Action Block
Port Change
windowsChange the default port from 400 to a non-standard port if supported by configuration
Modify FactoryTalk Transaction Manager configuration file to use alternative port
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FactoryTalk Transaction Manager from untrusted networks
- Deploy intrusion detection systems to monitor for anomalous traffic on port 400
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk Transaction Manager version - if below 2.31.00, system is vulnerable. Verify port 400 is listening: netstat -an | findstr :400Check Version:
Check FactoryTalk Transaction Manager About dialog or installation directory version informationVerify Fix Applied:
Confirm version is 2.31.00 or higher. Test that application remains responsive when receiving traffic on port 400.📡 Detection & Monitoring
Log Indicators:
- Application crash logs
- High CPU/memory usage alerts
- Service restart events in Windows Event Log
Network Indicators:
- Unusual traffic patterns to port 400
- Malformed packets to port 400
- Connection attempts from unexpected sources
SIEM Query:
source="windows" event_id=1000 OR event_id=1001 process_name="FactoryTalk*" OR destination_port=400 AND packet_size>normal