Severity:
High
Advisory ID:
PN1604
Published Date:
September 22, 2022
Last Updated:
September 22, 2022
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2022-38742
Summary
ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack
Revision History
Revision History
Version 1.0 – September 22, 2022 – Initial Version
Executive Summary
A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.
Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.
Affected Products
| ThinManager ThinServer software | Versions |
| 11.0.0 – 11.0.4 | |
| 11.1.0 – 11.1.4 | |
| 11.2.0 – 11.2.5 | |
| 12.0.0 – 12.0.2 | |
| 12.1.0 – 12.1.3 | |
| 13.0.0 |
Vulnerability Details
CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow
CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process. This potentially exposes the server to arbitrary remote code execution.
CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process. This potentially exposes the server to arbitrary remote code execution.
Risk Mitigation & User Action
Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
| CVE-2022-38742 | Versions Affected | Suggested Actions |
| 11.0.0 – 11.0.4 | Update to v11.00.05 | |
| 11.1.0 – 11.1.4 | Update to v11.01.05 | |
| 11.2.0 – 11.2.5 | Update to v11.02.06 | |
| 12.0.0 – 12.0.2 | Update to v12.00.03 | |
| 12.1.0 – 12.1.3 | Update to v12.01.04 | |
| 13.0.0 | Update to v13.00.01 |
Additional Mitigations
If users are unable to update to the patched version, they should put the following mitigation in place:- Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients
References
CVE-2022-38742
Copyright ©2022 Rockwell Automation, Inc.