CVE-2021-27460 : What You Need to Know
Learn about the critical vulnerability in Rockwell Automation FactoryTalk AssetCentre (CVE-2021-27460), allowing remote attackers to gain full system access. Find mitigation steps and long-term security practices here.
Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier versions are affected by a critical vulnerability due to insufficient verification of untrusted data. This flaw could allow a remote attacker to gain full access to the main server and all agent machines.
Understanding CVE-2021-27460
This CVE involves a deserialization vulnerability in .NET remoting endpoints of Rockwell Automation FactoryTalk AssetCentre, affecting versions up to v10.00.
What is CVE-2021-27460?
The vulnerability in FactoryTalk AssetCentre allows unauthenticated remote attackers to exploit .NET remoting endpoints, potentially leading to unauthorized access to both the main server and agent machines.
The Impact of CVE-2021-27460
With a high CVSS base score of 10, this critical vulnerability could have severe consequences, including unauthorized access and potential compromise of sensitive data.
Technical Details of CVE-2021-27460
The vulnerability is classified under CWE-502 - Deserialization of Untrusted Data, with a CVSS v3.1 score indicating low attack complexity and high impact on availability and confidentiality.
Vulnerability Description
Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier versions are susceptible to deserialization attacks due to inadequate validation of untrusted data.
Affected Systems and Versions
The vulnerability affects FactoryTalk AssetCentre versions up to v10.00, leaving them exposed to remote attackers seeking unauthorized server and agent machine access.
Exploitation Mechanism
Remote, unauthenticated threat actors can exploit .NET remoting endpoints to deserialize tainted data, potentially compromising the system's integrity and confidentiality.
Mitigation and Prevention
To address CVE-2021-27460, Rockwell Automation recommends immediate actions and long-term security practices.
Immediate Steps to Take
Users of affected FactoryTalk AssetCentre versions are advised to update to v11 or newer to mitigate the vulnerability. Additionally, implementing built-in security features such as IPsec can help limit exposure to unauthorized clients.
Long-Term Security Practices
To enhance overall security, users should employ software-based mitigations, restrict user privileges, and follow best practices for network security. Trustworthy software, network segmentation, and secure remote access methods like VPNs are key preventive measures.
Patching and Updates
Regularly applying security patches, using antivirus programs, and isolating control system devices behind firewalls are critical steps to safeguard against potential threats.