Published Date: May 14, 2024
Last updated: May 14, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.7/10, v4.0: 7.0
AFFECTED PRODUCTS AND SOLUTION
Affected Product
|
First Known in software version
|
Corrected in software version
|
FactoryTalk® Remote Access™ (FTRA)
|
v13.5.0.174
|
V13.6
|
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.
CVE-2024-3640 IMPACT
An unquoted executable path exists in the affected products, possibly resulting in remote code execution if exploited. While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this vulnerability.
CVSS Base Score v3.1: 6.5/10
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-428: Unquoted Search Path or Element
CVSS Base Score v4.0: 7.0/10
CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: No
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
Mitigations and Workarounds
Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices below, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
