Revision History
Revision Number
1.0
Revision History
Version 1.0 - September 19, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
Affected Products
| Affected Product | First Known in firmware revision | Corrected in firmware revision |
|---|---|---|
| 2711R-T10T | v3.011 | v6.011 |
| 2711R-T7T | ||
| 2711R-T4T |
Vulnerability Details
An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Update to v6.011 or later that mitigates the issue.
- Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.
