CVE-2024-21917
📋 TL;DR
This vulnerability in Rockwell Automation FactoryTalk Service Platform allows attackers to steal service tokens and use them to authenticate to other FTSP directories without proper validation. This enables unauthorized access to user information and system settings modification. Organizations using affected FactoryTalk Service Platform versions are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk Service Platform
📦 What is this software?
Factorytalk Services Platform by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of FactoryTalk Service Platform environment allowing attackers to modify critical industrial control system configurations, steal sensitive operational data, and potentially disrupt manufacturing processes.
Likely Case
Unauthorized access to user information and system settings, potentially leading to data theft, configuration changes, and privilege escalation within the FactoryTalk ecosystem.
If Mitigated
Limited impact if proper network segmentation, access controls, and monitoring are in place to detect token misuse attempts.
🎯 Exploit Status
Exploitation requires initial access to the system but token theft and reuse is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.12.00 and later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1660.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk Service Platform version 6.12.00 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart affected systems. 5. Verify proper functionality post-update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FactoryTalk Service Platform systems from untrusted networks and implement strict access controls.
Enhanced Monitoring
allImplement logging and monitoring for unusual token usage patterns and authentication attempts.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FactoryTalk systems from other networks
- Deploy enhanced monitoring and alerting for suspicious authentication patterns and token usage
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk Service Platform version via Control Panel > Programs and Features or using vendor-provided version checking tools.Check Version:
Check Windows Programs and Features or use Rockwell Automation diagnostic toolsVerify Fix Applied:
Verify installed version is 6.12.00 or later and test token validation between FTSP components.📡 Detection & Monitoring
Log Indicators:
- Multiple authentication attempts with same token from different sources
- Unusual token generation patterns
- Authentication failures followed by successful access
Network Indicators:
- Unexpected cross-directory authentication traffic
- Token reuse across different FTSP endpoints
SIEM Query:
source="FactoryTalk" AND (event_type="authentication" AND token_reuse=true) OR (source_ip!=dest_ip AND same_token)