Overview
The Cybersecurity and Infrastructure Security Agency (CISA) has alerted about new vulnerabilities in Rockwell Automation FactoryTalk ThinManager. The alert, designated ICSA-24-305-01, outlines serious security risks that could affect users of the software. With a CVSS v4 score of 9.3, these vulnerabilities demand immediate attention from security teams to safeguard industrial control systems.
The vulnerabilities identified in Rockwell Automation’s FactoryTalk ThinManager include “Missing Authentication for Critical Function” and “Out-of-Bounds Read.” These issues can allow remote attackers to manipulate databases or cause denial-of-service conditions.
The successful exploitation of these vulnerabilities poses a risk to users. Attackers could send specially crafted messages to FactoryTalk ThinManager devices, which might lead to serious consequences, including unauthorized database modifications or service disruptions.
Technical Details
Several versions of Rockwell Automation’s FactoryTalk ThinManager have been identified as vulnerable, including versions 11.2.0 to 11.2.9, 12.0.0 to 12.0.7, 12.1.0 to 12.1.8, 13.0.0 to 13.0.5, 13.1.0 to 13.1.3, 13.2.0 to 13.2.2, and version 14.0.0.
The first critical vulnerability, CVE-2024-10386, is categorized as “Missing Authentication for Critical Function” (CWE-306) and assigned a CVSS v3.1 base score of 9.8. This flaw allows network-accessible attackers to send crafted messages to FactoryTalk ThinManager, which could potentially result in database manipulation.
The second vulnerability, CVE-2024-10387, relates to an “Out-of-Bounds Read” (CWE-125) and poses a denial-of-service risk. It enables attackers with network access to send crafted messages that could disrupt FactoryTalk ThinManager’s operations. This vulnerability carries a CVSS v3.1 base score of 7.5 and a CVSS v4 score of 8.7, indicating a serious security concern.
Rockwell Automation has acknowledged these vulnerabilities, which significantly impact critical infrastructure sectors, particularly in manufacturing, and are deployed globally. To address the risks associated with these vulnerabilities, Rockwell Automation has made patches available for the affected versions on the FactoryTalk ThinManager download site and urges users to apply these updates without delay.
Additionally, users are advised to implement network hardening by restricting communications to TCP port 2031 only to necessary devices that require connection to the ThinManager. Following Rockwell Automation’s guidelines for security best practices is also encouraged to minimize risks in industrial automation control systems.
Recommendations from CISA
The Cybersecurity and Infrastructure Security Agency (CISA) recommends several defensive measures:
- Minimize network exposure for all control system devices, ensuring they are not accessible from the internet.
- Isolate control system networks and remote devices behind firewalls.
- Utilize secure methods for remote access, such as Virtual Private Networks (VPNs), while recognizing that these should be updated regularly.
- Perform comprehensive impact analysis and risk assessment before implementing defensive measures.
- Regularly review and apply security advisories from credible sources.
Conclusion
CISA encourages organizations to report any suspected malicious activity for tracking and correlation with other incidents. Currently, there have been no known public exploitations targeting these vulnerabilities.
Given the high severity of the vulnerabilities associated with Rockwell Automation’s FactoryTalk ThinManager, organizations must prioritize addressing these issues to maintain security within their industrial environments.
By adhering to recommended practices and implementing available patches, companies can reduce the risk of exploitation and protect their critical infrastructure.
Source: https://www.cisa.gov/news-events/ics-advisories/icsa-24-305-01
