All the vulnerabilites related to Rockwell Automation - PowerFlex® 527
cve-2024-2426
Vulnerability from cvelistv5
Published
2024-03-25 20:17
Modified
2024-08-12 20:34
Severity ?
EPSS score ?
Summary
Rockwell Automation - Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Rockwell Automation | PowerFlex® 527 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1664.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rockwellautomation:powerflex_527_ac_drives_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerflex_527_ac_drives_firmware",
"vendor": "rockwellautomation",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "2.001.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-26T19:57:16.261756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T20:34:49.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerFlex\u00ae 527",
"vendor": "Rockwell Automation ",
"versions": [
{
"status": "affected",
"version": " v2.001.x \u003c"
}
]
}
],
"datePublic": "2024-03-21T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA denial-of-service vulnerability exists in the Rockwell Automation PowerFlex\u00ae 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.\u003c/span\u003e\n\n"
}
],
"value": "\nA denial-of-service vulnerability exists in the Rockwell Automation PowerFlex\u00ae 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T20:18:33.240Z",
"orgId": "b73dd486-f505-4403-b634-40b078b177f0",
"shortName": "Rockwell"
},
"references": [
{
"url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1664.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement network segmentation confirming the device is on an isolated network.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um002_-en-e.pdf\"\u003eDisable the web server\u003c/a\u003e, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\"\u003eSecurity Best Practices\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\nThere is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.\n\n * Implement network segmentation confirming the device is on an isolated network.\n * Disable the web server https://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um002_-en-e.pdf , if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.\n * Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight \n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rockwell Automation - Denial-of-service and Input Validation Vulnerabilities in PowerFlex\u00ae 527",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
"assignerShortName": "Rockwell",
"cveId": "CVE-2024-2426",
"datePublished": "2024-03-25T20:17:22.315Z",
"dateReserved": "2024-03-13T14:45:10.183Z",
"dateUpdated": "2024-08-12T20:34:49.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2425
Vulnerability from cvelistv5
Published
2024-03-25 20:14
Modified
2024-08-01 19:11
Severity ?
EPSS score ?
Summary
Rockwell Automation - Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Rockwell Automation | PowerFlex® 527 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-28T18:27:55.373294Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:30:25.436Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.rockwellautomation.com/en-us/support/advisory.SD1664.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerFlex\u00ae 527",
"vendor": "Rockwell Automation ",
"versions": [
{
"status": "affected",
"version": " v2.001.x \u003c"
}
]
}
],
"datePublic": "2024-03-21T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA denial-of-service vulnerability exists in the Rockwell Automation PowerFlex\u00ae 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.\u003c/span\u003e\n\n"
}
],
"value": "\nA denial-of-service vulnerability exists in the Rockwell Automation PowerFlex\u00ae 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T20:18:14.816Z",
"orgId": "b73dd486-f505-4403-b634-40b078b177f0",
"shortName": "Rockwell"
},
"references": [
{
"url": "https://https://www.rockwellautomation.com/en-us/support/advisory.SD1664.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement network segmentation confirming the device is on an isolated network.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um002_-en-e.pdf\"\u003eDisable the web server\u003c/a\u003e, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\"\u003eSecurity Best Practices\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\nThere is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.\n\n * Implement network segmentation confirming the device is on an isolated network.\n * Disable the web server https://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um002_-en-e.pdf , if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.\n * Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight \n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rockwell Automation - Denial-of-service and Input Validation Vulnerabilities in PowerFlex\u00ae 527",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
"assignerShortName": "Rockwell",
"cveId": "CVE-2024-2425",
"datePublished": "2024-03-25T20:14:01.767Z",
"dateReserved": "2024-03-13T14:45:09.065Z",
"dateUpdated": "2024-08-01T19:11:53.614Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-2427
Vulnerability from cvelistv5
Published
2024-03-25 20:20
Modified
2024-08-21 14:57
Severity ?
EPSS score ?
Summary
Rockwell Automation - Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Rockwell Automation | PowerFlex® 527 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1664.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:rockwellautomation:powerflex_527_ac_drives_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "powerflex_527_ac_drives_firmware",
"vendor": "rockwellautomation",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "2.001.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T14:54:12.568778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T14:57:19.700Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerFlex\u00ae 527",
"vendor": "Rockwell Automation ",
"versions": [
{
"status": "affected",
"version": " v2.001.x \u003c"
}
]
}
],
"datePublic": "2024-03-21T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA denial-of-service vulnerability exists in the Rockwell Automation PowerFlex\u00ae 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.\u003c/span\u003e\n\n"
}
],
"value": "\nA denial-of-service vulnerability exists in the Rockwell Automation PowerFlex\u00ae 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-153",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-153 Input Data Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T20:20:41.295Z",
"orgId": "b73dd486-f505-4403-b634-40b078b177f0",
"shortName": "Rockwell"
},
"references": [
{
"url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1664.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eThere is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.\u003c/p\u003e\u003cul\u003e\u003cli\u003eImplement network segmentation confirming the device is on an isolated network.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um002_-en-e.pdf\"\u003eDisable the web server\u003c/a\u003e, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\"\u003eSecurity Best Practices\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e"
}
],
"value": "\nThere is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.\n\n * Implement network segmentation confirming the device is on an isolated network.\n * Disable the web server https://literature.rockwellautomation.com/idc/groups/literature/documents/um/520-um002_-en-e.pdf , if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.\n * Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight \n\n"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Rockwell Automation - Denial-of-service and Input Validation Vulnerabilities in PowerFlex\u00ae 527",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
"assignerShortName": "Rockwell",
"cveId": "CVE-2024-2427",
"datePublished": "2024-03-25T20:20:41.295Z",
"dateReserved": "2024-03-13T14:46:09.865Z",
"dateUpdated": "2024-08-21T14:57:19.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}