PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Enhanced HIM	v1.001	v1.002

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Customers using the affected software are encouraged to apply risk mitigation, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

• Upgrade to version 1.002 which mitigates this issue.
• QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

• CVE-2023-2746 JSON