PN1625 | Inadequate Encryption Vulnerability in ThinManager®

Affected Product	First Known in Software Version	Corrected in Software Version
ThinManager ®	v13.0.0 and v13.0.1	v13.0.2

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers.  If the client requests an insecure cipher, a malicious actor could potentially decrypt traffic sent between the client and server API.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize risk of vulnerability.

• Upgrade to v13.0.2.
• Do not use 3DES encryption algorithm.
• QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

• CVE-2023-2443 JSON
• QA60051 - ThinManager : Download Patches and Updates
• QA66518 - ThinManager: How to Ensure 3DES Encryption Algorithm is Not Used