Experts found critical flaws in Rockwell FactoryTalk AssetCentre

Rockwell Automation has recently addressed nine critical vulnerabilities in its FactoryTalk AssetCentre product with the release of version v11.

The American provider of industrial automation Rockwell Automation on Thursday informed customers that it has patched nine critical vulnerabilities in its FactoryTalk AssetCentre product.

FactoryTalk AssetCentre provides customers with a centralized tool for securing, managing, versioning, tracking and reporting automation-related asset information across their entire facility.

All the vulnerabilities were discovered by security experts at industrial cybersecurity firm Claroty, ICS-CERT also published an advisory that provides details about the vulnerabilities and mitigation information.

The AssetCentre architecture is mainly composed of a main server, an MS-SQL server database, clients, and remote agents that run on engineering workstations (generally, Windows-based machines).

Each agent communicates with the centralized server and can accept and send commands to automation devices, such as PLCs.

“Claroty researchers were able to find deserialization vulnerabilities in a number of remoting services running on FactoryTalk AssetCentre, which handle inter-process communication within an OT network, as well as SQL-injection vulnerabilities in other service functions. These services run with the highest system privileges, meaning that any arbitrary code supplied by an attacker would also execute with those same privileges, allowing full access to the machine.” reads the advisory published by Claroty.

“Deserialization vulnerabilities, meanwhile, are a class of bugs that occur when an attacker is able to inject malicious code into a serialized object that would be executed later when being deserialized.”

The issues discovered by the researchers are deserialization and SLQ injection vulnerabilities, the the flaws have been rated with a CVSS score of 10.

Claroty experts explained that an unauthenticated, remote attacker could exploit these vulnerabilities to take control of the centralized FactoryTalk AssetCentre Server and Windows-based engineering stations communicating with the server. Finally the attacker could own a facility’s entire operational technology (OT) network and run commands on server agents and automation devices such as programmable logic controllers (PLCs).

“Successful exploitation of these vulnerabilities may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.” reads the advisory published by CISA.

The advisory published by Rockwell is available here.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FactoryTalk AssetCentre)

[adrotate banner=”5″]

[adrotate banner=”13″]