Loading

Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Severity:
High
Advisory ID:
SD1664
게시한 날짜:
March 21, 2024
최근 업데이트:
December 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
아니요
Corrected:
아니요
Workaround:
예
CVE IDs
CVE-2024-2425,
CVE-2024-2426,
CVE-2024-2427
다운로드
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
요약
Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

PowerFlex® 527

 v2.001.x <

n/a

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-2425 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2426 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2427 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.

  • Implement network segmentation confirming the device is on an isolated network.
  • Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
  • Security Best Practices

 ADDITIONAL RESOURCES

  • JSON CVE-2024-2425
  • JSON CVE-2024-2426
  • JSON CVE-2024-2427

Glossary

CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users 

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 홈
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
계속 진행하기 위해 쿠키 설정을 업데이트하십시오..
この機能には、お客様の利便性を向上させるためにクッキーが必要です。これらのクッキーを許可するように設定を更新してください:
  • 소셜 미디어 쿠키
  • 기능 쿠키
  • 성능 쿠키
  • 마케팅 쿠키
  • 모든 쿠키
귀하는 쿠키 설정을 언제든지 변경할 수 있습니다. 자세한 내용은 이곳에서 확인하십시오. {0} 개인 정보 보호 정책
CloseClose