CVE-2024-21915
📋 TL;DR
A privilege escalation vulnerability in Rockwell Automation FactoryTalk Service Platform allows authenticated users with basic privileges to gain administrator access. This affects all organizations using vulnerable versions of FTSP, potentially compromising industrial control systems.
💻 Affected Systems
- Rockwell Automation FactoryTalk Service Platform
📦 What is this software?
Factorytalk Services Platform by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing threat actors to modify critical industrial processes, delete operational data, and render the FTSP system unavailable, potentially causing operational disruption or safety incidents.
Likely Case
Unauthorized administrative access leading to data theft, configuration changes, and potential disruption of FactoryTalk services affecting connected industrial systems.
If Mitigated
Limited impact if proper network segmentation, least privilege access controls, and monitoring are implemented to detect privilege escalation attempts.
🎯 Exploit Status
Exploitation requires valid user credentials but basic privileges are sufficient. The vulnerability is in the authentication mechanism itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.13.0
Vendor Advisory: https://www.rockwellautomation.com/en-us/support/advisory.SD1662.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk Service Platform version 6.13.0 from Rockwell Automation Product Compatibility and Download Center. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the system as prompted.
🔧 Temporary Workarounds
Restrict User Access
allLimit user accounts to only essential personnel and implement strict access controls
Network Segmentation
allIsolate FTSP systems from general network access and implement firewall rules
🧯 If You Can't Patch
- Implement strict monitoring of authentication logs for privilege escalation attempts
- Apply additional authentication controls and review all user permissions regularly
🔍 How to Verify
Check if Vulnerable:
Check FTSP version in Control Panel > Programs and Features. Vulnerable if version is 6.11.0 or 6.12.0.Check Version:
Not applicable - check via Windows Control Panel or FTSP interfaceVerify Fix Applied:
Verify version shows 6.13.0 or higher after patching and test that basic users cannot gain administrative privileges.📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- User accounts gaining administrative access unexpectedly
- Authentication anomalies in FTSP logs
Network Indicators:
- Unusual administrative access patterns from non-admin user accounts
- Authentication requests to FTSP from unexpected sources
SIEM Query:
source="FTSP" AND (event_type="privilege_escalation" OR user_group_change="Administrator")