Loading

FactoryTalk View ME Remote Code Execution Vulnerability via Project Save Path

Severity:
High
Advisory ID:
SD 1709
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
CVE IDs
CVE-2024-37365
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
Summary

Published Date: November 12th, 2024

Last updated: November 12th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Revision

Corrected in Software Revision

FactoryTalk View ME

>= V14; when using default folders privileges

V15

 

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.

·         Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.

·         Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”.   Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10 

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Copyright ©2022 Rockwell Automation, Inc.