Loading

Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Severity:
High
Advisory ID:
SD1664
게시한 날짜:
March 21, 2024
최근 업데이트:
December 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
아니요
Corrected:
아니요
Workaround:
예
CVE IDs
CVE-2024-2425,
CVE-2024-2426,
CVE-2024-2427
파일(다운로드)
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2024-2425
CVE-2024-2426
CVE-2024-2427
요약
Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date: March 21, 2024
Last updated: March 21, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

PowerFlex® 527

 v2.001.x <

n/a

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-2425 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2426 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2427 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

There is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.

  • Implement network segmentation confirming the device is on an isolated network.
  • Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
  • Security Best Practices

 ADDITIONAL RESOURCES

  • JSON CVE-2024-2425
  • JSON CVE-2024-2426
  • JSON CVE-2024-2427
Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 홈 Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
계속 진행하기 위해 쿠키 설정을 업데이트하십시오..
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • 소셜 미디어 쿠키
  • 기능 쿠키
  • 성능 쿠키
  • 마케팅 쿠키
  • 모든 쿠키
귀하는 쿠키 설정을 언제든지 변경할 수 있습니다. 자세한 내용은 이곳에서 확인하십시오. 개인 정보 보호 정책
CloseClose