Scribd
Upload
19 views3 pages

SD1709 _ Security Advisory _ Rockwell Automation _ US

SD1709 Security Advisory Rockwell Automation

Uploaded by

jediael.pj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views3 pages

SD1709 _ Security Advisory _ Rockwell Automation _ US

SD1709 Security Advisory Rockwell Automation

Uploaded by

jediael.pj
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

26/11/2024, 14:19 SD1709 | Security Advisory | Rockwell Automation | US

FactoryTalk View ME
Remote Code
Execution
Vulnerability via
Project Save Path
Severity: High CVE IDs Downloads

Advisory ID: SD1709 CVE-2024-37365 The following link(s) provide the


security advisory in Vulnerability
Published Date: November 12, 2024 Exploitability Exchange format:
Last Updated: November 12, 2024 CVE-2024-37365
Revision Number: 1.0

Known Exploited Vulnerability (KEV):

No

Corrected: Yes

Workaround: Yes

Summary

Published Date: November 12th, 2024

Last updated: November 12th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1709.html 1/3
26/11/2024, 14:19 SD1709 | Security Advisory | Rockwell Automation | US

The security of our products is important to us as your chosen industrial automation supplier. This
anomaly was found internally during routine testing and is being reported based on our commitment
to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in Software Corrected in Software


Revision Revision

FactoryTalk View ME >= V14; when using default V15


folders privileges

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are
encouraged to apply security best practices, where possible.

· To enhance security and prevent unauthorized modifications to HMI project files, harden the
Windows OS by removing the INTERACTIVE group from the folder’s security properties.

· Add specific users or user groups and assign their permissions to this folder using the least
privileges principle. Users with read-only permission can still test run and run the FactoryTalk View
ME Station.

· Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It
can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME
Help\Create a Machine Edition application->Open applications->HMI project folder settings”.
Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following
vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users
to save projects within the public directory allowing anyone with local access to modify and/or
delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate
their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1709.html 2/3
26/11/2024, 14:19 SD1709 | Security Advisory | Rockwell Automation | US

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more


environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format,
which is machine readable and can be used to automate vulnerability management and tracking
activities.

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1709.html 3/3

You might also like