Multiple Code Execution Vulnerabilities in Arena®

Published Date: 12/5/2024

Revision Number: 1.0
CVSS Score: v3.1: 7.8, v4.0 8.5

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by ZDI (Zero Day Initiative).

CVE-2024-11155 IMPACT

A “use after free”  code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11156 IMPACT

An “out of bounds write”  code execution vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

CVE-2024-11158 IMPACT

An “uninitialized variable”  code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-665 Improper Initialization

Known Exploited Vulnerability (KEV) database: No

CVE-2024-12130 IMPACT

An “out of bounds read” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Published Date: 11/14/24

Last updated: 11/14/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8/10, v4.0: 8.4/10

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS 

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-37287 IMPACT

Verve Reporting utilizes Kibana which contains a remote code execution vulnerability that allows an attacker with access to ML and Alerting connecting features as well as write access to internal ML to trigger a prototype pollution vulnerability, which can ultimately lead to arbitrary code execution. The code execution is limited to the container.

CVSS Base Score v3.1: 7.2/10

CVSS Vector CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.6/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-1395: Dependency on Vulnerable Third-Party Component

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds 

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability. 

1. Restrict Access to Built-in Verve Account
   • Access to the built-in "verve" account should be limited to only administrators who need to perform administrative functions and should only be used for administrative purposes. Separate accounts should be used for day-to-day functions.
   • Change the password for the built-in "verve" account if it has been shared.
2. Restrict Privileges for Other Accounts
   • Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
     • all-all
     • feature-all-all
3. Disable Machine Learning
   • Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
     1. Connect to the Reporting server via SSH or terminal.
     2. Copy the Elasticsearch configuration override to the working directory.
        1. docker exec $(docker ps --filter "name=Reporting_elasticsearch" --format "{{ .ID }}") cat /usr/share/elasticsearch/config-templates/elasticsearch.override.yml > elasticsearch.override.yml
     3. Add the following line and save.
        1. xpack.ml.enabled: false
     4. Disable Verve Reporting from the Verve Software Manager.
     5. Update the Elasticsearch configuration override.
        1. docker config rm elasticsearchymloverride 
           docker config create elasticsearchymloverride ./elasticsearch.override.yml
     6. Enable Verve Reporting from the Verve Software Manager and confirm that the application starts and "Machine Learning" is no longer listed in the main navigation bar under Analytics.
     7. Delete the copy of the Elasticsearch configuration override. 
        1. rm elasticsearch.override.yml

• Security Best Practices

Published Date: 11/14/2024

Revision Number: 1.0

CVSS Score: 3.1: 7.3/10, 4.0: 7.0/10

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6068 IMPACT

A memory corruption vulnerability exists in the affected products when parsing DFT files.  Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector:  CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE 1284 Improper Validation of Specified Quantity in Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Published Date: November 12^th, 2024

Last updated: November 12^th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.

·         Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.

·         Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”.   Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10 

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-10943 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10944 IMPACT

A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Control access to the server where FactoryTalk® Updater is running.

·         Click the ‘Scan’ button, which will update the database

CVE-2024-10945 IMPACT

A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ThinManager® Multiple Vulnerabilities

Published Date: 10/25/2024 
Last Updated: 10/25/2024 
Revision Number: 1.0 
CVSS Score: Multiple, see below

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-10386 IMPACT

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.1 Base Score: 9.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-306: Missing Authentication for Critical Function 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-125: Out-of-bounds Read 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

• If able, navigate to the ThinManager® download site and upgrade to a corrected version of ThinManager® .

• Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .

• For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Published Date: October 10, 2024 
Last updated: October 10, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5, v4.0: 8.7 
 

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerability was reported to Rockwell Automation by Trevor Flynn.

CVE-2024-6207 IMPACT

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability a malicious user must chain this exploits with CVE 2021-22681 and send a specially crafted CIP message to the device.  If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation.  To recover the controllers, a download is required which ends any process that the controller is running. 

CVSS Base Score v3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 

CVSS Base Score v4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds 

Users using the affected software are also encouraged to apply security best practices to minimize the risk of vulnerability. 

• Security Best Practices

 ADDITIONAL RESOURCES

• JSON CVE-2024-6207

Published Date: 10/8/2024

Last Updated: 10/8/2024 

Revision Number: 1.0 
CVSS Score: 8.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9124 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 6000T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.2 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  Improper Check for Unusual or Exceptional Conditions 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

• Security Best Practices 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

• CVE-2024-9124 JSON

Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date: October 8, 2024

Last updated:  October 10, 2024

Revision Number: 2.0

CVSS Score: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Mitigations and Workarounds 

Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. 

• Security Best Practices

VULNERABILITY DETAILS

CVE-2024-8626 IMPACT

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover. 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  

CVSS Base Score: 7.5/10 (high) 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10 (high)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 400 – Uncontrolled Resource Consumption 

ADDITIONAL RESOURCES

• JSON CVE-2024-8626

Published Date: 10/8/24

Last updated: 10/8/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8, v4.0: 8.4

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 CVE-2024-9412 IMPACT

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.  

CVSS Base Score v3.1: 6.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.4/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-842: Placement of User into Incorrect Group 

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds 

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.  

• The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.

• Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2024-9412

Published Date: 10/8/24

Revision Number: 1.0

CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Product Affected Versions

DataEdgePlatform

DataMosaix™ Private Cloud <=7.07 v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2019-14855 IMPACT

The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-17543 IMPACT

The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-18276 IMPACT

The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-19244 IMPACT

The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9893 IMPACT

The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9923 IMPACT

The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

• CVE-2019-14855 JSON
• CVE-2019-17543 JSON
• CVE-2019-18276 JSON
• CVE-2019-19244 JSON
• CVE-2019-989 JSON
• CVE-2019-9923 JSON

Published Date: 10/8/24 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE:  Exposure of Sensitive Information to an unauthorized Actor 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

 
A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project. 

CVSS 3.1 Base Score: 8.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  Missing Authorization 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT 

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project. 

CVSS 3.1 Base Score: 8.1 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  Incorrect Authorization 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

• Security Best Practices 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

• CVE-2024-7952 JSON
• CVE-2024-7953 JSON
• CVE-2024-7956 JSON

Published Date: September 19, 2024

Last updated:  September 19, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 8.8/10

AFFECTED PRODUCTS AND SOLUTION

Mitigations and Workarounds 

Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible. 

·       Deny the execution feature in FactoryTalk® Administration Console, when not needed, by navigating to “Policies”, selecting ‘”Enable/Disable VBA”, and then checking the “Deny” box to block VBA code execution.

·       Save project files in a Trusted® location where only administrators can modify it and verify file integrity.

·       Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. 

A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention.  This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.

CVE-2024-7847 IMPACT

CVSS Base Score 3.1: 7.7/10

CVSS Vector String 3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS Base Score 4.0: 8.8/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-345 (Insufficient verification of data authenticity)

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

• JSON CVE-2024-7847

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45825 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Block communication to CIP class 883 if it is not required

·         Block communication to CIP class 67 if it is not required

·         Enforce proper network segmentation and routing controls

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45825

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 8.1/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45823 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45823

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45826 IMPACT

Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.

CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45826

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-31102 IMPACT

A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2023-40481 IMPACT

 A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Do not archive or restore projects from unknown sources.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2023-31102

·         JSON CVE-2023-40481

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45824 IMPACT

A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-77: Improper Neutralization of Special Elements used in a Command
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Navigate to the following link and apply patches, directions are on the link page

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45824

Published Date: 9/12/24 
Revision Number: 1.0 
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments. 

AFFECTED PRODUCTS AND SOLUTION 

VULNERABILITY DETAILS 

Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities. 

CVE-2024-7960 IMPACT 

The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.  

CVSS 3.1 Base Score: 7.6 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

CVSS 4.0 Base Score: 8.8 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N 

CWE:  Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No 

CVE-2024-7961 IMPACT 

A path traversal vulnerability exists in the affected product.  If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.   

CVSS 3.1 Base Score: 7.2 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

CVSS 4.0 Base Score: 8.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 

CWE:  Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
Known Exploited Vulnerability (KEV) database: No 

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

• Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

ADDITIONAL RESOURCES 

• CVE-2024-7960 JSON

• CVE-2024-7961 JSON

Published Date: 9/12/2024

Last Updated: 9/12/2024 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-8533 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.7 
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-269: Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply security best practices

• For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

• JSON CVE-2024-8533

Published Date: 9/12/2024

Updated Date: 9/12/2024 

Revision Number: 1.0

CVSS: v3.1: 7.4, 4.0: 8.3

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

 Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6077 IMPACT

A denial-of-service vulnerability exists in the affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover. 

CVSS Base Score: 7.5 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
CWE-20:  Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers who are unable to upgrade to the corrected software versions are encouraged to apply the following risk mitigations. 

• Users who do not wish to use CIP security can disable the feature per device. See "Disable CIP Security" in Chapter 2 of "CIP Security with Rockwell Automation Products" (publication SECURE-AT001)

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

    JSON CVE-2024-6077

Published Date: 8/22/24

Last updated: 8/22/24

Revision Number: 1.0

CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.

CVE-2024-7986 IMPACT

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

CVSS Base Score v3.1: 5.5/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score v4.0: 6.8/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

CVE-2024-7987 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

CVSS Base Score v3.1: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource

CVE-2024-7988 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS Base Score v3.1: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Mitigations and Workarounds

Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.

·       Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2024-7986

·       JSON CVE 2024-7987

·       JSON CVE 2024 -7988

Published Date: August 13, 2024 
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: Please see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.  

AFFECTED PRODUCTS AND SOLUTION

VULNERABILITY DETAILS

CVE IMPACT

An arbitrary code execution vulnerability exists in the affected product. The vulnerability occurs due to a vulnerable component, Log4Net v1.2, which has multiple vulnerabilities listed below:

• CVE-2018-1285, CVSS score 7.5 - log4net config file does not disable XML external entities
  • CVSS Base Score: 7.5
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
    
  • CWE-20:  Improper Input Validation 
  • Known Exploited Vulnerability (KEV) database: None
• CVE-2006-0743, CVSS score 5.3 - format string vulnerability in log4net
  • CVSS Base Score: 5.3 
  • CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 
  • CWE-134:  Use of Externally Controlled Format String
  • Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

• For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

• JSON CVE-2006-0743

• JSON CVE-2018-1285

Published Date: 8/13/2024

Updated Date: 8/13/2024 
Revision Number: 1.0

CVSS: v3.1: 9.1, v4.0: 8.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Mitigations and Workarounds

• Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade. 

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAIL

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6078 IMPACT

An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud. 

CVSS Base Score: 9.1  
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Base Score: 8.6 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N 
CWE-287:  Improper Authentication 
Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

• JSON CVE-2024-6078