CVE-2021-32960 in FactoryTalk Services Platforminfo

Summary

by MITRE • 04/02/2022

Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/17/2025

The vulnerability identified as CVE-2021-32960 affects Rockwell Automation FactoryTalk Services Platform version 6.11 and earlier implementations where FactoryTalk Security is enabled. This represents a critical security flaw within industrial control systems infrastructure that specifically targets the authentication and authorization mechanisms of the platform. The vulnerability exists within the security policy enforcement logic and demonstrates a fundamental weakness in how the system handles authenticated sessions when security features are active. The flaw is particularly concerning because it operates within the context of industrial automation environments where operational technology systems require robust security controls to prevent unauthorized access to critical manufacturing processes.

The technical implementation of this vulnerability stems from an insufficient validation mechanism within the FactoryTalk Security framework that fails to properly enforce access controls based on computer name attributes. When FactoryTalk Security is enabled, the platform should maintain strict policy enforcement that prevents authenticated users from accessing resources beyond their designated scope. However, the flaw allows an authenticated attacker to manipulate or bypass these security boundaries through computer name-based authentication checks. This weakness creates a path where an attacker who has already established valid credentials can potentially escalate their privileges or access resources they should not be authorized to reach. The vulnerability essentially creates a loophole in the authorization matrix where the system fails to properly validate that the requesting entity matches the expected computer name context for the requested access.

From an operational impact perspective, this vulnerability creates a significant risk for industrial environments that rely on FactoryTalk Services Platform for their automation infrastructure. An attacker who successfully exploits this vulnerability gains privileges equivalent to those of a user logged directly into the client machine, which could potentially allow them to access sensitive operational data, modify control parameters, or disrupt manufacturing processes. The implications extend beyond simple data access as this could enable attackers to manipulate production workflows, alter quality control settings, or even cause physical damage to equipment. The vulnerability particularly affects environments where network segmentation and access controls are critical for maintaining operational integrity and where the compromise of a single authenticated session could cascade into broader system breaches.

The vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and represents a specific implementation weakness in the security policy enforcement mechanisms. From an adversarial perspective, this flaw would be categorized under ATT&CK technique T1078 which covers valid accounts and credential access, as it allows an attacker to leverage legitimate authenticated sessions to bypass additional security controls. Organizations should implement immediate mitigations including updating to FactoryTalk Services Platform versions that address this vulnerability, reviewing and strengthening network segmentation policies, and implementing additional monitoring controls to detect unauthorized access attempts. The security controls should also include regular audit of authentication logs and verification of access control policies to ensure that computer name-based restrictions are properly enforced. Additionally, network access controls should be implemented to limit the exposure of FactoryTalk Services Platform components to only trusted network segments and require additional authentication layers beyond the initial computer name validation.

Responsible

ICS-CERT

Reservation

05/13/2021

Disclosure

04/02/2022

Moderation

accepted

CPE

ready

EPSS

0.02339

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!