Loading

PowerMonitor™ 1000 Remote Code Execution and Denial-of-Service Vulnerabilities via HTTP Protocol

Severity:
Critical
Advisory ID:
SD1714
Published Date:
December 17, 2024
Last Updated:
December 17, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
CVE IDs
CVE-2024-12371 ,
CVE-2024-12372 ,
CVE-2024-12373
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
Summary

Published Date: December 17, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Products

Affected firmware revision

Corrected in firmware revision

PM1k 1408-BC3A-485

<4.020

4.020

PM1k 1408-BC3A-ENT

<4.020

4.020

PM1k 1408-TS3A-485

<4.020

4.020

PM1k 1408-TS3A-ENT

<4.020

4.020

PM1k 1408-EM3A-485

<4.020

4.020

PM1k 1408-EM3A-ENT

<4.020

4.020

PM1k 1408-TR1A-485

<4.020

4.020

PM1k 1408-TR2A-485

<4.020

4.020

PM1k 1408-EM1A-485

<4.020

4.020

PM1k 1408-EM2A-485

<4.020

4.020

PM1k 1408-TR1A-ENT

<4.020

4.020

PM1k 1408-TR2A-ENT

<4.020

4.020

PM1k 1408-EM1A-ENT

<4.020

4.020

PM1k 1408-EM2A-ENT

<4.020

4.020

 

SECURTIY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following security issues. The following issues were reported by Vera Mens of Claroty Research - Team82. 

 

CVE-2024-12371 IMPACT

A device takeover security issue exists in the affected product. This allows configuration of a new Policyholder user without any authentication via API. A policyholder user is the most privileged user that can perform edit operations. This creates admin users and performs a factory reset.

CVSS 3.1 Base Score: 9.8/10 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-420: Unprotected Alternate Channel

 

CVE-2024-12372 IMPACT

A denial-of-service and possible remote code execution security issue exists in the affected product. This issue results in corruption of the heap memory which may compromise the integrity of the system. This could allow a remote code execution or a denial-of-service attack.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-122: Heap-based Buffer Overflows

 

CVE-2024-12373 IMPACT

A denial-of-service security issue exists in the affected product. This results in a buffer-overflow which could cause a denial-of-service.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

 

Mitigations and Workarounds

Customers using the affected software that can't upgrade to one of the corrected version should use the security best practices.   

·       Security Best Practices

Glossary

Buffer Overflow: when a program writes more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory locations

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation Home Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Please update your cookie preferences to continue.
This feature requires cookies to enhance your experience. Please update your preferences to allow for these cookies:
  • Social Media Cookies
  • Functional Cookies
  • Performance Cookies
  • Marketing Cookies
  • All Cookies
You can update your preferences at any time. For more information please see our {0} Privacy Policy
CloseClose