Loading

SD1664 | Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Severity:
High
Advisory ID:
SD1664
Published Date:
March 21, 2024
Last Updated:
March 21, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2024-2425,
CVE-2024-2426,
CVE-2024-2427
Summary
Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date: March 21, 2024
Last updated: March 21, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

PowerFlex® 527

 v2.001.x <

n/a

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-2425 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2426 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2427 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

There is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.

  • Implement network segmentation confirming the device is on an isolated network.
  • Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
  • Security Best Practices

 ADDITIONAL RESOURCES

Copyright ©2022 Rockwell Automation, Inc.