CVE-2023-46290:
An unauthenticated attacker could potentially obtain a local Windows OS user token via the FactoryTalk Services Platform web service and use that token to log in to FactoryTalk Services Platform, enabling token impersonation (CWE-287). The vulnerability affects versions before 2.80 and has a high impact (CVSS v3.1 base score 8.1).
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:Oct 27, 2023
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.2
- EPSS Percentile:37%
Exploitability
- Score:2.2
- Attack Vector:NETWORK
- Attack Complexity:HIGH
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
An unauthenticated attacker could potentially obtain a local Windows OS user token via the FactoryTalk Services Platform web service and use that token to log in to FactoryTalk Services Platform, enabling token impersonation (CWE-287). The vulnerability affects versions before 2.80 and has a high impact (CVSS v3.1 base score 8.1).
Overview
This vulnerability arises from insufficient authentication logic in the FactoryTalk Services Platform web service, enabling a threat actor to obtain a local Windows token and use it to access the platform. It requires no user interaction and can be exploited over the network. The flaw is categorized as CWE-287 Improper Authentication and CAPEC-633 Token Impersonation, with a high potential impact if exploited. Only versions prior to 2.80 are affected; upgrading to a fixed release mitigates the issue.
Remediation
- Upgrade to FactoryTalk Services Platform version 2.80 or newer, as this version contains the remediation for the vulnerability. Verify compatibility with your environment using Rockwell’s compatibility tooling (the compatibility page linked in Rockwell’s notices) to determine the exact version that fits your deployment.
- After upgrading, review and apply Rockwell’s security guidance (QA43240) for hardened configuration and best practices.
- Verify that the web service requires proper authentication and that token issuance cannot be misused to log in as the user. Perform security testing to confirm the vulnerability is mitigated.
- If feasible, restrict access to the FactoryTalk Services Platform web service to trusted networks or authenticated clients to reduce exposure.
- Validate the environment post-upgrade with relevant security scans and maintain a process to apply future security updates promptly.
References
- - Rockwell Automation: FactoryTalk Services Platform Elevated Privileges Vulnerability. https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1141165
- - Compatibility and upgrade guidance for FactoryTalk Services Version (Compatibility page referenced in remediation). https://compatibility.rockwellautomation.com/Pages/MultiProductCompareSelections.aspx?crumb=113&versions=61602,60883,59837,59480,58564,57413,58591,59481,59482,59483,59484,59485,59486,59487,59488,59490,59491,59492,59493,59494,59495,59496
- - QA43240 - Recommended Security Guidelines from Rockwell Automation. https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012
- - CWE-287: Improper Authentication. https://cwe.mitre.org/data/definitions/287.html
- - CAPEC-633: Token Impersonation. https://capec.mitre.org/data/definitions/633.html
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
