Loading

PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities

Severity:
High,
Medium
Advisory ID:
PN1627
Veröffentlichungsdatum:
June 13, 2023
Zuletzt aktualisiert:
September 09, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Nein
Corrected:
Nein
Workaround:
Nein
CVE IDs
CVE-2023-2639,
CVE-2023-2637,
CVE-2023-2638
Zusammenfassung
FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities

 

Revision Number
1.1
Revision History
Version 1.0 - June 13, 2023
Version 1.1 - September 9, 2015 - Updated for better readability

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform
* Only if the following were installed:
  • FactoryTalk® Policy Manager v6.11.0
  • FactoryTalk® System Services v6.11.0
6.11.00 6.30.00

Security Issue Details

Rockwell Automation received a report from Claroty regarding three security issues in FactoryTalk® System Services. If used, these security issues could result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version  of the CVSS scoring system to assess security issues.

CVE-2023-2637  IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.

CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic Key


Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638  IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.

CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper Authentication


Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639  IMPACT
An origin validation error may lead to information disclosure. There is an underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network. This does not verify that the origin of the communication is from a legitimate local client device. It could allow a threat actor to create a harmful website that will send a harmful script. The script can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If used, a threat actor could receive information including whether FactoryTalk® Policy Manager is installed. It could also allow  the treat actor to view the entire security policy. User interaction is required for this to be used.

CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation Error


Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations and security best practices below.
  • Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
  • For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
    • System Security Design Guidelines Reference Manual publication, SECURE-RM001
    • Configure System Security Features User Manual, SECURE-UM001
  • Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON
 

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits 

 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Startseite Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Bitte aktualisieren Sie Ihre Cookie-Einstellungen, um fortzufahren.
Für diese Funktion sind Cookies erforderlich, um Ihr Erlebnis zu verbessern. Bitte aktualisieren Sie Ihre Einstellungen, um diese Cookies zuzulassen:
  • Social-Media-Cookies
  • Funktionale Cookies
  • Leistungscookies
  • Marketing-Cookies
  • Alle Cookies
Sie können Ihre Einstellungen jederzeit aktualisieren. Weitere Informationen finden Sie in unserem {0} Datenschutzrichtlinie
CloseClose