Severity:
Critical
Advisory ID:
PN1630
Veröffentlichungsdatum:
July 11, 2023
Zuletzt aktualisiert:
July 11, 2023
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Nein
Corrected:
Nein
Workaround:
Nein
CVE IDs
CVE-2023-2746
Zusammenfassung
Enhanced HIM Vulnerable to Cross Site Request Forgery Attack
Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 11, 2023
Affected Products
Affected Product | First Known in Firmware Revision | Corrected in Firmware Revision |
Enhanced HIM | v1.001 | v1.002 |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.
CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)
Known Exploited Vulnerability (KEV) database:
No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply risk mitigation, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.
- Upgrade to version 1.002 which mitigates this issue.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Copyright ©2022 Rockwell Automation, Inc.