Published Date: June 13, 2024
Last updated: June 13, 2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® View SE
|
v11.0
|
v14.0
|
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.
CVE-2024-37368 IMPACT
A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.
CVSS 3.1 Base Score: 9.8/10
CSVV 4.0 Base Score: 9.2/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.