CVE-2024-21917:
Critical vulnerability in Rockwell Automation FactoryTalk Service Platform (CVE-2024-21917) that allows a malicious user to obtain the service token and reuse it for authentication across FTSP directories due to a lack of digital signing, enabling authentication bypass and potential unauthorized access.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.1Critical- Published Date:Jan 31, 2024
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.3
- EPSS Percentile:51%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.2
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:NONE
Description Preview
Critical vulnerability in Rockwell Automation FactoryTalk Service Platform (CVE-2024-21917) that allows a malicious user to obtain the service token and reuse it for authentication across FTSP directories due to a lack of digital signing, enabling authentication bypass and potential unauthorized access.
Overview
A critical authentication bypass vulnerability exists in Rockwell Automation's FactoryTalk Service Platform. The flaw allows a malicious actor to obtain the service token and reuse it to authenticate across FTSP directories because there is no digital signing binding the service token to the directory. Consequently, an attacker could access user information and modify settings without authentication, impacting confidentiality, integrity, and availability. Affected releases include FactoryTalk Service Platform up to version 6.31.
Remediation
- Upgrade to FactoryTalk Service Platform version 6.40 or later.
- If upgrading is not possible, enable verification of publisher information (digital signatures) for executables that use the FactoryTalk Services APIs. This setting is configurable in the Application Authorization node within System Policies via the FactoryTalk Administration Console.
- Set the DCOM authentication level to 6 to encrypt the service token and the communication channel between server and client. Refer to the Mitigating Microsoft DCOM Hardening Patch guidance (CVE-2021-26414) for details.
- Apply Rockwell Security Best Practices and related hardening guidance to minimize exposure (including network segmentation, token handling, and access controls).
- Proactively monitor for anomalous token usage, rotate/service token handling policies, and restrict access to FTSP APIs to trusted clients.
References
- - [Rockwell Advisory SD1660](https://www.rockwellautomation.com/en-us/support/advisory.SD1660.html)
- - [Security Best Practices for FactoryTalk Services](https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight)
- - [Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414)](https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1134040)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
