Loading

SD1670 | Datalog Function within in FactoryTalk® View SE contains SQL Injection Vulnerability

Severity:
High
Advisory ID:
SD1670
Published Date:
May 07, 2024
Last Updated:
May 07, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2024-4609
Summary
Datalog Function within in FactoryTalk® View SE contains SQL Injection Vulnerability

 

Published Date:  May 15, 2024

Last updated: May 22, 2024  

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

 

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE 

 

 

 

 

< 14

 

 

 

 

V11,12,13, 14  or later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.   

A vulnerability exists in the FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.    

 

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

 

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environmentally specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

 

 

ADDITIONAL RESOURCE

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

Copyright ©2022 Rockwell Automation, Inc.