CVE-2024-6325 Rockwell Automation CVE debrief

Who should care

Organizations operating Rockwell Automation FactoryTalk System Services or FactoryTalk Policy Manager v6.40 in industrial environments, particularly those utilizing CIP Security or OPC UA for device authentication and encrypted communications. Asset owners in critical manufacturing, energy, water/wastewater, and other OT sectors where device impersonation could lead to process manipulation or unauthorized network access. Security teams responsible for certificate lifecycle management in ICS environments. Compliance officers addressing NERC CIP, IEC 62443, or similar industrial cybersecurity frameworks requiring proper key protection.

Technical summary

The vulnerability stems from improper file system permissions on cryptographic key material in FactoryTalk System Services v6.40. The keystore directory and PSKs.json file are created with ACLs granting read and execute access to the Windows 'Everyone' group, allowing any authenticated user on the system to extract private keys. These keys serve as trust anchors for CIP Security (Common Industrial Protocol Security) and OPC UA certificate generation. Successful key extraction enables certificate forgery and impersonation of industrial devices on the secured network. The attack requires local access to the Windows host running FactoryTalk components, with no user interaction needed. The confidentiality impact is rated High due to exposure of cryptographic keys, while integrity and availability impacts are None. The scope is Changed as the vulnerability affects resources beyond the vulnerable component's security authority. Remediation involves both software update and manual key rotation procedures to invalidate potentially compromised material.

Defensive priority

high

Recommended defensive actions

• Upgrade FactoryTalk System Services and FactoryTalk Policy Manager to version 6.40.01
• Prior to upgrade, document all Zone and Conduit security settings in FactoryTalk Policy Manager for recreation
• Remove deployed security policies from all devices and reset endpoints to 'Unassigned' Zone
• Delete the FTSS_backup folder at c:ProgramDataRockwellRNAServerGlobalRnaStoreFTSS_Backup
• Delete the keystore folder at c:ProgramDataRockwell AutomationFactoryTalk System Serviceskeystore and any backup copies with timestamped suffixes
• Delete the PSKs.json file at c:ProgramDataRockwell AutomationFactoryTalk System ServicesPSKs.json and any backup copies with timestamped suffixes
• After upgrade, recreate security zones and conduits, then redeploy CIP Security policies
• For OPC UA deployments, ensure clients remove previously applied certificates and re-establish trust with new certificates

Evidence notes

The vulnerability affects FactoryTalk System Services v6.40 and FactoryTalk Policy Manager v6.40. The root cause is improper access control on private key storage locations, specifically the keystore folder and PSKs.json file within the FactoryTalk System Services directory structure. The vendor has released version 6.40.01 to address this issue. Remediation requires a multi-step process: clearing existing CIP Security configurations, deleting vulnerable key material and backups, updating to the patched version, and regenerating security policies.

Official resources