CVE-2024-21917
Vulnerability from cvelistv5
Published
2024-01-31 18:16
Modified
2024-10-17 17:09
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Rockwell Automation FactoryTalk® Service Platform Service Token Vulnerability
References
PSIRT@rockwellautomation.comhttps://www.rockwellautomation.com/en-us/support/advisory.SD1660.htmlVendor Advisory
Impacted products
Rockwell AutomationFactoryTalk® Service Platform
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:35:34.763Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1660.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-06T05:00:19.636807Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T17:09:38.403Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "FactoryTalk\u00ae Service Platform",
          "vendor": "Rockwell Automation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= v6.31"
            }
          ]
        }
      ],
      "datePublic": "2024-01-30T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in Rockwell Automation FactoryTalk\u00ae Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. \u0026nbsp;If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.\u003c/span\u003e\n\n"
            }
          ],
          "value": "\nA vulnerability exists in Rockwell Automation FactoryTalk\u00ae Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. \u00a0If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347 Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-31T18:16:27.949Z",
        "orgId": "b73dd486-f505-4403-b634-40b078b177f0",
        "shortName": "Rockwell"
      },
      "references": [
        {
          "url": "https://www.rockwellautomation.com/en-us/support/advisory.SD1660.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003eCustomers using \n\nRockwell Automation FactoryTalk\u00ae Service Platform\n\n are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdate to v6.40 or later.\u0026nbsp;\u003c/li\u003e\u003cli\u003eSet DCOM authentication level to 6, \u003ca target=\"_blank\" rel=\"nofollow\"\u003ewhich enables encryption of the service token and communication channel between the server and client. Please refer to \u003c/a\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1134040\"\u003eMitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eWhen it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk\u00ae Services APIs. This helps prevent a malicious user from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk\u00ae Administration Console application.\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight\"\u003eSecurity Best Practices\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\n\n"
            }
          ],
          "value": "\nCustomers using \n\nRockwell Automation FactoryTalk\u00ae Service Platform\n\n are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.\n\n  *  Update to v6.40 or later.\u00a0\n  *  Set DCOM authentication level to 6,  Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com) https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1134040 \n  *  When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk\u00ae Services APIs. This helps prevent a malicious user from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk\u00ae Administration Console application.\n  *   Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight \n\n\n\n\n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": " Rockwell Automation FactoryTalk\u00ae Service Platform Service Token Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0",
    "assignerShortName": "Rockwell",
    "cveId": "CVE-2024-21917",
    "datePublished": "2024-01-31T18:16:27.949Z",
    "dateReserved": "2024-01-03T16:40:50.367Z",
    "dateUpdated": "2024-10-17T17:09:38.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-21917\",\"sourceIdentifier\":\"PSIRT@rockwellautomation.com\",\"published\":\"2024-01-31T19:15:08.633\",\"lastModified\":\"2024-02-08T01:29:32.367\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nA vulnerability exists in Rockwell Automation FactoryTalk\u00ae Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. \u00a0If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.\\n\\n\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad en Rockwell Automation FactoryTalk\u00ae Service Platform que permite a un usuario malintencionado obtener el token de servicio y usarlo para autenticaci\u00f3n en otro directorio FTSP. Esto se debe a la falta de firma digital entre el token del servicio FTSP y el directorio. Si se explota, un usuario malintencionado podr\u00eda potencialmente recuperar informaci\u00f3n del usuario y modificar la configuraci\u00f3n sin ninguna autenticaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2},{\"source\":\"PSIRT@rockwellautomation.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]},{\"source\":\"PSIRT@rockwellautomation.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rockwellautomation:factorytalk_services_platform:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.31.00\",\"matchCriteriaId\":\"B58012D3-971A-4BE7-984B-D26120477A6C\"}]}]}],\"references\":[{\"url\":\"https://www.rockwellautomation.com/en-us/support/advisory.SD1660.html\",\"source\":\"PSIRT@rockwellautomation.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.