Loading

PowerMonitor™ 1000 Remote Code Execution and Denial-of-Service Vulnerabilities via HTTP Protocol

Severity:
Critical
Advisory ID:
SD1714
Data pubblicazione:
December 17, 2024
Ultimo aggiornamento:
December 17, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Sì
Workaround:
No
CVE IDs
CVE-2024-12371 ,
CVE-2024-12372 ,
CVE-2024-12373
Download
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
Riepilogo

Published Date: December 17, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Products

Affected firmware revision

Corrected in firmware revision

PM1k 1408-BC3A-485

<4.020

4.020

PM1k 1408-BC3A-ENT

<4.020

4.020

PM1k 1408-TS3A-485

<4.020

4.020

PM1k 1408-TS3A-ENT

<4.020

4.020

PM1k 1408-EM3A-485

<4.020

4.020

PM1k 1408-EM3A-ENT

<4.020

4.020

PM1k 1408-TR1A-485

<4.020

4.020

PM1k 1408-TR2A-485

<4.020

4.020

PM1k 1408-EM1A-485

<4.020

4.020

PM1k 1408-EM2A-485

<4.020

4.020

PM1k 1408-TR1A-ENT

<4.020

4.020

PM1k 1408-TR2A-ENT

<4.020

4.020

PM1k 1408-EM1A-ENT

<4.020

4.020

PM1k 1408-EM2A-ENT

<4.020

4.020

 

SECURTIY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following security issues. The following issues were reported by Vera Mens of Claroty Research - Team82. 

 

CVE-2024-12371 IMPACT

A device takeover security issue exists in the affected product. This allows configuration of a new Policyholder user without any authentication via API. A policyholder user is the most privileged user that can perform edit operations. This creates admin users and performs a factory reset.

CVSS 3.1 Base Score: 9.8/10 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-420: Unprotected Alternate Channel

 

CVE-2024-12372 IMPACT

A denial-of-service and possible remote code execution security issue exists in the affected product. This issue results in corruption of the heap memory which may compromise the integrity of the system. This could allow a remote code execution or a denial-of-service attack.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-122: Heap-based Buffer Overflows

 

CVE-2024-12373 IMPACT

A denial-of-service security issue exists in the affected product. This results in a buffer-overflow which could cause a denial-of-service.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

 

Mitigations and Workarounds

Customers using the affected software that can't upgrade to one of the corrected version should use the security best practices.   

·       Security Best Practices

Glossary

Buffer Overflow: when a program writes more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory locations

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Home Rockwell Automation Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Aggiorna le tue preferenze sui cookie per continuare.
Questa funzionalità richiede i cookie per migliorare la tua esperienza. Ti preghiamo di aggiornare le tue preferenze per consentire questi cookie:
  • Cookie dei social media
  • Cookie funzionali
  • Cookie di prestazione
  • Cookie di marketing
  • Tutti i cookie
Puoi aggiornare le tue preferenze in qualsiasi momento. Per ulteriori informazioni consultare il nostro {0} politica sulla riservatezza
CloseClose