Today the CISA NCCIC-ICS published one control system
security advisory for products from Rockwell Automation.
This advisory describes
nine vulnerabilities in the Rockwell FactoryTalk AssetCentre. The
vulnerabilities were reported by Sharon Brizinov and Amir Preminger of Claroty.
Rockwell has a new version that mitigates the vulnerabilities. There is no
indication that the researchers have been provided an opportunity to verify the
efficacy of the fix.
The nine reported vulnerabilities are:
• Deserialization of untrusted data
(4) – CVE-2021-27462, CVE-2021-27466, CVE-2021-27470, and CVE-2021-27460,
• Use of potentially dangerous
function – CVE-2021-27474,
• OS command injunction – CVE-2021-27476,
• SQL injection – CVE-2021-27472, CVE-2021-27468,
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow unauthenticated attackers
to perform arbitrary command execution, SQL injection, or remote code