CVE-2021-27468 in FactoryTalk AssetCentre
Summary
by MITRE • 03/24/2022
The AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier exposes functions lacking proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/25/2022
The vulnerability identified as CVE-2021-27468 resides within the AosService.rem component of Rockwell Automation FactoryTalk AssetCentre version 10.00 and earlier installations. This service operates as a remote procedure call interface that facilitates communication between various system components and external clients. The flaw represents a critical authentication bypass vulnerability that fundamentally compromises the security posture of industrial control systems. The affected service exposes multiple functions that should require proper authorization but instead operate without any form of authentication verification, creating an unprecedented attack surface for malicious actors targeting industrial environments.
The technical implementation of this vulnerability stems from inadequate access control mechanisms within the AosService.rem service. When the service processes incoming requests, it fails to validate the identity of callers before executing sensitive operations. This authentication gap allows an attacker to directly invoke database functions through the exposed API endpoints without providing any credentials or authorization tokens. The service's design appears to assume that all communications originate from trusted internal sources, failing to account for potential network-based attacks. This architectural oversight enables remote exploitation from any location with network access to the vulnerable service, making the vulnerability particularly dangerous in connected industrial environments where network boundaries may be less strictly enforced.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass full database manipulation capabilities. An attacker exploiting this vulnerability can execute arbitrary SQL statements against the underlying database, potentially leading to data exfiltration, data corruption, or complete system compromise. The exposed functions likely provide access to sensitive operational data including asset information, configuration settings, and potentially operational parameters that could affect production processes. This vulnerability directly violates fundamental security principles by eliminating the authentication layer that should protect database operations, effectively granting attackers the ability to perform read, write, and delete operations on critical industrial data. The implications are particularly severe in manufacturing environments where asset centre data directly influences production workflows and operational decisions.
Organizations affected by this vulnerability should implement immediate mitigations including disabling the exposed service when not required, implementing network segmentation to restrict access to the service, and applying available vendor patches or updates. The vulnerability aligns with CWE-284 which addresses improper access control, and represents a clear violation of the principle of least privilege in security architecture. From an attack perspective, this vulnerability maps to multiple ATT&CK techniques including T1190 for exploit public-facing application and T1071.004 for application layer protocol. The lack of authentication controls creates a persistent risk that requires immediate remediation, as attackers can leverage this vulnerability to gain persistent access to industrial databases and potentially escalate privileges within the operational technology environment. Network monitoring should be enhanced to detect unusual database access patterns and unauthorized SQL query execution that may indicate exploitation attempts.