PN1625 | Inadequate Encryption Vulnerability in ThinManager®

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
ThinManager ®	v13.0.0 and v13.0.1	v13.0.2

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers.  If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations and our suggested security best practices found below to minimize risks.

• Upgrade to v13.0.2.
• Do not use 3DES encryption algorithm.
• QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

• CVE-2023-2443 JSON
• QA60051 - ThinManager : Download Patches and Updates
• QA66518 - ThinManager: How to Ensure 3DES Encryption Algorithm is Not Used

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits