Loading

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Severity:
High,
Critical
Advisory ID:
SD1677
Data pubblicazione:
June 20, 2024
Ultimo aggiornamento:
October 16, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Workaround:
CVE IDs
CVE-2024-5988 ,
CVE-2024-5989,
CVE-2024-5990
Download
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2024-5988
CVE-2024-5989
CVE-2024-5990
Riepilogo
ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date: June 25, 2024

Last updated: June 25, 2024

Revision Number: 1.0

CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in software version

Corrected in software version (Available Here

)

ThinManager® ThinServer™

2024-5988

2024-5989

 

 

 

 

 

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

13.2.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

2024-5990

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.4

13.1.2

 

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

·       Update to the corrected software versions via the ThinManager® Downloads Site

·       Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.

·       Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-5988 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.  

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

 

CVE-2024-5989 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.   

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5990 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device. 

CVSS Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

 

Customers can use Stakeholder-Specific Vulnerability Categorization

to generate more environment-specific prioritization.

 

 ADDITIONAL RESOURCES

·       CVE-2024-5988 JSON

·       CVE-2024-5989 JSON

·       CVE-2024-5990 JSON

 

Copyright ©2022 Rockwell Automation, Inc.