Loading

SD1687 | Authentication Bypass Vulnerability in DataMosaix™

Severity:
High
Advisory ID:
SD 1687
Fecha de publicación:
August 13, 2024
Última actualización:
August 13, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2024-6078
Resumen
SD1687 | Authentication Bypass Vulnerability in DataMosaix™

Published Date: 8/13/2024

Updated Date: 8/13/2024 
Revision Number: 1.0

CVSS: v3.1: 9.1, v4.0: 8.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in Software Version Corrected in Software Version
DataMosaix™ Private Cloud

V7.07 <

v7.09 or later 

 

Mitigations and Workarounds

  • Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade. 

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAIL

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6078 IMPACT

An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud. 

CVSS Base Score: 9.1  
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Base Score: 8.6 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N 
CWE-287:  Improper Authentication 
Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

Copyright ©2022 Rockwell Automation, Inc.