Severity:
High,
Medium
Advisory ID:
PN1627
公開日:
June 13, 2023
最終更新日:
September 09, 2025
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
いいえ
Corrected:
いいえ
Workaround:
いいえ
CVE IDs
CVE-2023-2639,
CVE-2023-2637,
CVE-2023-2638
概要
FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities
Revision Number
1.1
Revision History
Version 1.0 - June 13, 2023
Version 1.1 - September 9, 2015 - Updated for better readability
Affected Products
Affected Product (automated) | First Known in Software Version | Corrected in Software Version |
FactoryTalk® Services Platform * Only if the following were installed:
|
6.11.00 | 6.30.00 |
Security Issue Details
Rockwell Automation received a report from Claroty regarding three security issues in FactoryTalk® System Services. If used, these security issues could result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.
CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.
Known Exploited Vulnerability (KEV) database:
CVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.
FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.
CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.
CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic Key
Known Exploited Vulnerability (KEV) database:
No
CVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.
CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database:
No
CVE-2023-2639 IMPACT
An origin validation error may lead to information disclosure. There is an underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network. This does not verify that the origin of the communication is from a legitimate local client device. It could allow a threat actor to create a harmful website that will send a harmful script. The script can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If used, a threat actor could receive information including whether FactoryTalk® Policy Manager is installed. It could also allow the treat actor to view the entire security policy. User interaction is required for this to be used.
CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation Error
Known Exploited Vulnerability (KEV) database:
No
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
Risk Mitigation & User Action
Customers using the affected software should use the risk mitigations and security best practices below.
CVE-2023-2638 JSON
CVE-2023-2639 JSON
- Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
- For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.
Additional Resources
CVE-2023-2637 JSONCVE-2023-2638 JSON
CVE-2023-2639 JSON
Glossary
Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits
Copyright ©2022 Rockwell Automation, Inc.