Published Date: December 17, 2024
Last updated: December 17, 2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10
AFFECTED PRODUCTS AND SOLUTION
Affected Products |
Affected firmware revision |
Corrected in firmware revision |
PM1k 1408-BC3A-485 |
<4.020 |
4.020 |
PM1k 1408-BC3A-ENT |
<4.020 |
4.020 |
PM1k 1408-TS3A-485 |
<4.020 |
4.020 |
PM1k 1408-TS3A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM3A-485 |
<4.020 |
4.020 |
PM1k 1408-EM3A-ENT |
<4.020 |
4.020 |
PM1k 1408-TR1A-485 |
<4.020 |
4.020 |
PM1k 1408-TR2A-485 |
<4.020 |
4.020 |
PM1k 1408-EM1A-485 |
<4.020 |
4.020 |
PM1k 1408-EM2A-485 |
<4.020 |
4.020 |
PM1k 1408-TR1A-ENT |
<4.020 |
4.020 |
PM1k 1408-TR2A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM1A-ENT |
<4.020 |
4.020 |
PM1k 1408-EM2A-ENT |
<4.020 |
4.020 |
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. The following vulnerabilites were reported by Vera Mens of Claroty Research - Team82.
CVE-2024-12371 IMPACT
A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-420: Unprotected Alternate Channel
CVE-2024-12372 IMPACT
A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in corruption of the heap memory which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-122: Heap-based Buffer Overflows
CVE-2024-12373 IMPACT
A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer-overflow, potentially causing denial-of-service.
CVSS 3.1 Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CSVV 4.0 Base Score: 9.3/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
