CVE-2023-46289
📋 TL;DR
This vulnerability in Rockwell Automation FactoryTalk View Site Edition allows threat actors to send malicious input that crashes the software, causing a denial-of-service condition. The affected product becomes unavailable and requires a restart to recover. Industrial control systems using this software are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk View Site Edition
📦 What is this software?
Factorytalk View by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Critical industrial processes are disrupted due to FactoryTalk View becoming unavailable, potentially causing production downtime, safety issues, or equipment damage.
Likely Case
FactoryTalk View services crash, requiring manual restart and causing temporary disruption to HMI operations and monitoring capabilities.
If Mitigated
With proper network segmentation and input validation controls, the impact is limited to isolated systems with minimal operational disruption.
🎯 Exploit Status
The vulnerability involves insufficient input validation, making exploitation relatively straightforward for attackers who can reach the vulnerable interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v12.0.1 or later
Vendor Advisory: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1141167
Restart Required: Yes
Instructions:
1. Download FactoryTalk View Site Edition v12.0.1 or later from Rockwell Automation's website.
2. Backup current configuration and data.
3. Install the updated version following Rockwell's installation guide.
4. Restart the system to apply changes.
5. Verify the installation and test functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FactoryTalk View systems from untrusted networks using firewalls and network segmentation.
Input Validation Controls
allImplement additional input validation at network perimeter devices or application firewalls.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to FactoryTalk View systems only from trusted sources.
- Deploy intrusion detection/prevention systems to monitor for malicious input patterns targeting FactoryTalk View services.
🔍 How to Verify
Check if Vulnerable:
Check the FactoryTalk View Site Edition version in the software's About dialog or installation directory. Versions prior to 12.0.1 are vulnerable.Check Version:
Check via FactoryTalk View's Help > About menu or examine the installation directory for version information.Verify Fix Applied:
Verify the installed version is 12.0.1 or later and test the system's stability with various input scenarios.📡 Detection & Monitoring
Log Indicators:
- Unexpected service crashes or restarts of FactoryTalk View processes
- Error logs indicating malformed input or validation failures
- Connection attempts from unusual sources to FactoryTalk View ports
Network Indicators:
- Unusual traffic patterns to FactoryTalk View ports (typically 445, 135, 102)
- Malformed packets or input patterns targeting FactoryTalk View services
- Connection attempts from unauthorized IP addresses
SIEM Query:
source="FactoryTalk" AND (event_type="crash" OR event_type="service_stop" OR message="*validation*error*")