SD1677 | Security Advisory | Rockwell Automation

Severity:

High,

Critical

Advisory ID:

SD1677

Published Date:

June 20, 2024

Last Updated:

October 16, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Corrected:

Yes

Workaround:

Yes

CVE IDs

CVE-2024-5988 ,

CVE-2024-5989,

CVE-2024-5990

Downloads

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

JSON

Summary

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date: June 25, 2024

Last updated: June 25, 2024

Revision Number: 1.0

CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in software version

Corrected in software version (Available Here)

ThinManager® ThinServer™

2024-5988

2024-5989

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

13.2.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

2024-5990

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.4

13.1.2

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

· Update to the corrected software versions via the ThinManager® Downloads Site

· Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-5988 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5989 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5990 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device.

CVSS Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· CVE-2024-5988 JSON

· CVE-2024-5989 JSON

· CVE-2024-5990 JSON