SD1702 | Security Advisory | Rockwell Automation | Rockwell Automation

Severity:

High

Advisory ID:

SD1702

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Corrected:

Yes

Workaround:

CVE IDs

CVE-2024-7952,

CVE-2024-7953,

CVE-2024-7956

Summary

Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud

Published Date: 10/8/24

Revision Number: 1.0
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud	<=7.07	v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project.

CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Missing Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES