CVE-2020-6967
published 2020-03-23CVE-2020-6967: In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.36%
91.6th percentile
In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound TCP connections to port 8082 on hosts running RNADiagnosticsSrv.exe; unexpected remote connections (non-localhost) to this port indicate exploitation attempts of the insecure .NET Remoting deserialization endpoint. ↗
- →Alert on RNADiagnosticsSrv.exe spawning unexpected child processes, which would indicate successful deserialization-based remote code execution resulting in SYSTEM-level process creation. ↗
- ·Patched versions restrict the .NET Remoting endpoint to localhost only; if tcp/8082 is still accessible remotely after patching, the mitigation has not been correctly applied. ↗
- ·Patch BF24822 is the specific fix for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, and 6.11; absence of this patch on those versions leaves tcp/8082 remotely exploitable. ↗
- ·For FactoryTalk Services Platform 6.31, enabling WCF avoids the vulnerable .NET Remoting code path entirely; if .NET Remoting remains the active transport, the system is still at risk even on 6.31. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation FactoryTalk Diagnostics (Update A)
cisa_ics·2020-02-20·CVSS 9.8
[CRITICAL] Rockwell Automation FactoryTalk Diagnostics (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Rockwell Automation FactoryTalk Diagnostics (Update A)
Last RevisedFebruary 20, 2020
Alert CodeICSA-20-051-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: FactoryTalk Diagnostics
- Vulnerability: Deserialization of Untrusted Data
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-20-051-02-Rockwell Automation FactoryTalk Diagnostics that was published February 20, 2020 on the ICS webpage at cisa.gov/ICS.
## 3. RISK EV
CISA ICS
Rockwell Automation FactoryTalk Diagnostics (Update B)
cisa_ics·2020-02-20·CVSS 9.8
[CRITICAL] Rockwell Automation FactoryTalk Diagnostics (Update B)
ICS Advisory
##
Rockwell Automation FactoryTalk Diagnostics (Update B)
Release DateMay 18, 2023
Alert CodeICSA-20-051-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: Rockwell Automation
- Equipment: FactoryTalk Diagnostics
- Vulnerabilities: Deserialization of Untrusted Data
## 2. UPDATE OR REPOSTED INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-20-051-02-Rockwell Automation FactoryTalk Diagnostics (Update A) that was published February 20, 2020, on the ICS webpage at cisa.gov/ICS.
## 3. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges.
## 4
GHSA
GHSA-fmpr-x9v2-r3jj: In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exp
ghsa_unreviewed·2022-05-24
CVE-2020-6967 [CRITICAL] CWE-502 GHSA-fmpr-x9v2-r3jj: In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exp
In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services Platform, FactoryTalk Diagnostics exposes a .NET Remoting endpoint via RNADiagnosticsSrv.exe at TCPtcp/8082, which can insecurely deserialize untrusted data.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-03-23
Published