A vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.
The FactoryTalk® Service Platform issues service tokens used for authentication between system components. These tokens are not digitally signed in a way that binds them to a specific FTSP directory, which means that a token obtained from one directory can be replayed in another. An attacker who intercepts such a token can present it to another FTSP directory and gain access as an authenticated user without knowing the password.
An attacker can gain unauthorized access to user information and modify system settings. In industrial OT/ICS environments, this can lead to disruption of production processes or loss of configuration integrity.
Apply patches available from the manufacturer according to references (Rockwell Automation advisory SD1660 available at https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1660.html). Until updates are applied, it is recommended to segment the industrial network and restrict access to FTSP services exclusively to trusted hosts.
Rockwell Automation FactoryTalk® Service Platform — versions indicated in the manufacturer's references (advisory SD1660)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRockwellautomation Factorytalk Services Platform
APPRockwellautomation≤ 6.31.00
Related vulnerabilities
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 ...
Privilege escalation w Rockwell Automation FactoryTalk Services Platform
In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.11.00, there is an issue with the ...
In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Servic...
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Wind...