SD1708 | Security Advisory | Rockwell Automation

Severity:

High,

Critical

Advisory ID:

SD1708

Fecha de publicación:

October 25, 2024

Última actualización:

October 25, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Corrected:

Sí

Workaround:

Sí

CVE IDs

CVE-2024-10386,

CVE-2024-10387

Descargas

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

CVE-2024-10386

CVE-2024-10387

Resumen

ThinManager® Multiple Vulnerabilities

Published Date: 10/25/2024
Last Updated: 10/25/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Corrected Version(s)

ThinManager®

11.2.0-11.2.9

12.0.0-12.0.7

12.1.0-12.1.8

13.0.0-13.0.5

13.1.0-13.1.3

13.2.0-13.2.2

14.0.0

11.2.10

12.0.8

12.1.9

13.0.6

13.1.4

13.2.3

14.0.1

Available here: ThinManager Downloads | ThinManager ®

VULNERABILITY DETAILS

The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-10386 IMPACT

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

If able, navigate to the ThinManager® download site
and upgrade to a corrected version of ThinManager® .

Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices
to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization

to generate more environment-specific prioritization.