Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
FactoryTalk® Updater – Web Client
|
CVE-2024-10943 |
v4.00.00 |
v4.20.00 |
FactoryTalk® Updater – Client
|
CVE-2024-10944 |
All version |
V4.20.00 |
FactoryTalk® Updater – Agent
|
CVE-2024-10945 |
All version
|
V4.20.00 |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-10943 IMPACT
An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.
CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE: CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No
CVE-2024-10944 IMPACT
A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.
CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· Control access to the server where FactoryTalk® Updater is running.
· Click the ‘Scan’ button, which will update the database
CVE-2024-10945 IMPACT
A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.
CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
