Loading

Datalog Function within in FactoryTalk® View SE contains SQL Injection Vulnerability

Severity:
High
Advisory ID:
SD1670
Date de publication:
May 07, 2024
Date de la dernière mise à jour:
December 03, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Oui
Workaround:
Non
CVE IDs
CVE-2024-4609
Téléchargements
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2024-4609
Résumé
Datalog Function within in FactoryTalk® View SE contains SQL Injection Vulnerability

 

Published Date:  May 15, 2024

Last updated: May 22, 2024  

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

 

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE 

 

 

 

 

< 14

 

 

 

 

V11,12,13, 14  or later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.   

A vulnerability exists in the FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.    

 

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

 

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environmentally specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

 

  • Security Best Practices  

 

ADDITIONAL RESOURCE

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

  • JSON CVE-2024-4609

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rõôckwéêll Æýýtõômåätíîõôn Hõôméê Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre politique de confidentialité
CloseClose