CVE-2024-21917:Critical vulnerability in Rockwell Automation FactoryTalk Service Platform (CVE-2024-21917) that allows a malicious user to obtain the service token and reuse it for authentication across FTSP directories due to a lack of digital signing, enabling authentication bypass and potential unauthorized access.

splash
Back

Description Preview

Rockwell Automation's FactoryTalk Service Platform contains a critical vulnerability that permits an attacker to obtain the service token and use it to authenticate against another FTSP directory. The root cause is the absence of digital signing between the FTSP service token and the directory, allowing token reuse across FTSP directories. If exploited, an attacker could potentially retrieve user information and modify settings without any authentication. The affected product is FactoryTalk Service Platform with versions up to and including 6.31. The CVSS v3.1 score is 9.8 (CRITICAL), with a network attack vector, no privileges required, no user interaction, and impacts to confidentiality, integrity, and availability. The issue is associated with CWE-347 (Improper Verification of Cryptographic Signature) and CAPEC-115 (Authentication Bypass). Rockwell provides mitigations including upgrading to version 6.40 or later, enabling stronger DCOM authentication, or, when upgrading is not feasible, enabling verification of publisher information (digital signatures) for executables using the FactoryTalk Services APIs, along with following Security Best Practices.

Overview

A critical authentication bypass vulnerability exists in Rockwell Automation's FactoryTalk Service Platform. The flaw allows a malicious actor to obtain the service token and reuse it to authenticate across FTSP directories because there is no digital signing binding the service token to the directory. Consequently, an attacker could access user information and modify settings without authentication, impacting confidentiality, integrity, and availability. Affected releases include FactoryTalk Service Platform up to version 6.31.

Remediation

  • Upgrade to FactoryTalk Service Platform version 6.40 or later.
  • If upgrading is not possible, enable verification of publisher information (digital signatures) for executables that use the FactoryTalk Services APIs. This setting is configurable in the Application Authorization node within System Policies via the FactoryTalk Administration Console.
  • Set the DCOM authentication level to 6 to encrypt the service token and the communication channel between server and client. Refer to the Mitigating Microsoft DCOM Hardening Patch guidance (CVE-2021-26414) for details.
  • Apply Rockwell Security Best Practices and related hardening guidance to minimize exposure (including network segmentation, token handling, and access controls).
  • Proactively monitor for anomalous token usage, rotate/service token handling policies, and restrict access to FTSP APIs to trusted clients.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Retail Trade: Low
    Retail Trade
  3. Public Administration: Low
    Public Administration
  4. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  5. Transportation & Warehousing: Low
    Transportation & Warehousing
  6. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  7. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  8. Utilities: Low
    Utilities
  9. Educational Services: Low
    Educational Services
  10. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  11. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  12. Information: Low
    Information
  13. Mining: Low
    Mining
  14. Accommodation & Food Services: Low
    Accommodation & Food Services
  15. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  16. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  17. Construction: Low
    Construction
  18. Finance and Insurance: Low
    Finance and Insurance
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background