Published Date: November 12th, 2024
Last updated: November 12th, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in Software Revision |
Corrected in Software Revision |
FactoryTalk View ME |
>= V14; when using default folders privileges |
V15 |
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
· To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.
· Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.
· Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”. Security Best Practices
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-37365 IMPACT
A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.
CVSS 3.1 Base Score: 7.3/10
CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 7.0/10
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.