EUVD-2024-19523

Comprehensive Technical Analysis of EUVD-2024-19523

1. Vulnerability Assessment and Severity Evaluation

The vulnerability in Rockwell Automation FactoryTalk® Service Platform (FTSP) allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory. The severity of this vulnerability is rated with a CVSS Base Score of 9.8, which is considered critical. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates the following:

Attack Vector (AV): Network (N) - The vulnerability is exploitable over the network.
Attack Complexity (AC): Low (L) - The attack requires minimal skill or resources.
Privileges Required (PR): None (N) - No privileges are required to exploit the vulnerability.
User Interaction (UI): None (N) - No user interaction is required.
Scope (S): Unchanged (U) - The vulnerability does not change the security scope.
Confidentiality (C): High (H) - There is a high impact on confidentiality.
Integrity (I): High (H) - There is a high impact on integrity.
Availability (A): High (H) - There is a high impact on availability.

2. Potential Attack Vectors and Exploitation Methods

Token Interception: An attacker could intercept the service token during transmission due to the lack of digital signing.
Replay Attacks: The attacker could reuse the intercepted token to authenticate on another FTSP directory.
Man-in-the-Middle (MitM) Attacks: An attacker could position themselves between the FTSP service and directory to capture and manipulate the service token.
Credential Stuffing: Once the token is obtained, the attacker could use it to authenticate and gain unauthorized access to user information and modify settings.

3. Affected Systems and Software Versions

The vulnerability affects the following versions of Rockwell Automation FactoryTalk® Service Platform:

FactoryTalk® Service Platform ≤ v6.31

4. Recommended Mitigation Strategies

Patch Management: Apply the latest patches and updates provided by Rockwell Automation.
Digital Signing: Implement digital signing for service tokens to ensure their integrity and authenticity.
Network Segmentation: Segregate the network to limit the attack surface and reduce the risk of unauthorized access.
Monitoring and Logging: Enhance monitoring and logging to detect any suspicious activities related to token usage.
Access Controls: Implement strict access controls and authentication mechanisms to prevent unauthorized access.
User Education: Educate users about the risks and best practices for handling service tokens and other sensitive information.

5. Impact on European Cybersecurity Landscape

The vulnerability poses a significant risk to European industrial control systems (ICS) and operational technology (OT) environments, particularly those using Rockwell Automation products. The potential for unauthorized access and modification of settings could lead to disruptions in critical infrastructure, data breaches, and financial losses. Organizations must prioritize the implementation of mitigation strategies to protect against such threats.

6. Technical Details for Security Professionals

Vulnerability Type: Authentication Bypass
CWE ID: CWE-287 (Improper Authentication)
Exploitation Steps:
1. Intercept the service token during transmission.
2. Use the intercepted token to authenticate on another FTSP directory.
3. Retrieve user information and modify settings without authentication.
Detection Methods:
- Monitor network traffic for unusual token usage patterns.
- Implement intrusion detection systems (IDS) to detect MitM attacks.
- Regularly audit access logs for unauthorized activities.
Remediation:
- Ensure all FTSP installations are updated to the latest version.
- Configure FTSP to use digital signing for service tokens.
- Regularly review and update security policies and procedures.

Conclusion

The vulnerability in Rockwell Automation FactoryTalk® Service Platform is critical and requires immediate attention. Organizations should prioritize patching affected systems, implementing digital signing, and enhancing monitoring and access controls to mitigate the risk. The European cybersecurity landscape must remain vigilant against such threats to protect critical infrastructure and ensure operational continuity.

References

Rockwell Automation Advisory
EUVD ID: EUVD-2024-19523
CVE ID: CVE-2024-21917
GSD ID: GSD-2024-21917

Comprehensive Technical Analysis of EUVD-2024-19523

1. Vulnerability Assessment and Severity Evaluation

Attack Vector (AV): Network (N) - The vulnerability is exploitable over the network.
Attack Complexity (AC): Low (L) - The attack requires minimal skill or resources.
Privileges Required (PR): None (N) - No privileges are required to exploit the vulnerability.
User Interaction (UI): None (N) - No user interaction is required.
Scope (S): Unchanged (U) - The vulnerability does not change the security scope.
Confidentiality (C): High (H) - There is a high impact on confidentiality.
Integrity (I): High (H) - There is a high impact on integrity.
Availability (A): High (H) - There is a high impact on availability.

2. Potential Attack Vectors and Exploitation Methods

Token Interception: An attacker could intercept the service token during transmission due to the lack of digital signing.
Replay Attacks: The attacker could reuse the intercepted token to authenticate on another FTSP directory.
Man-in-the-Middle (MitM) Attacks: An attacker could position themselves between the FTSP service and directory to capture and manipulate the service token.
Credential Stuffing: Once the token is obtained, the attacker could use it to authenticate and gain unauthorized access to user information and modify settings.

3. Affected Systems and Software Versions

The vulnerability affects the following versions of Rockwell Automation FactoryTalk® Service Platform:

FactoryTalk® Service Platform ≤ v6.31

4. Recommended Mitigation Strategies

Patch Management: Apply the latest patches and updates provided by Rockwell Automation.
Digital Signing: Implement digital signing for service tokens to ensure their integrity and authenticity.
Network Segmentation: Segregate the network to limit the attack surface and reduce the risk of unauthorized access.
Monitoring and Logging: Enhance monitoring and logging to detect any suspicious activities related to token usage.
Access Controls: Implement strict access controls and authentication mechanisms to prevent unauthorized access.
User Education: Educate users about the risks and best practices for handling service tokens and other sensitive information.

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Vulnerability Type: Authentication Bypass
CWE ID: CWE-287 (Improper Authentication)
Exploitation Steps:
1. Intercept the service token during transmission.
2. Use the intercepted token to authenticate on another FTSP directory.
3. Retrieve user information and modify settings without authentication.
Detection Methods:
- Monitor network traffic for unusual token usage patterns.
- Implement intrusion detection systems (IDS) to detect MitM attacks.
- Regularly audit access logs for unauthorized activities.
Remediation:
- Ensure all FTSP installations are updated to the latest version.
- Configure FTSP to use digital signing for service tokens.
- Regularly review and update security policies and procedures.

Conclusion

References

Rockwell Automation Advisory
EUVD ID: EUVD-2024-19523
CVE ID: CVE-2024-21917
GSD ID: GSD-2024-21917

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-19523

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Conclusion

References

References

Affected Products

Vendors

EUVD-2024-19523

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2024-19523

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Conclusion

References

References

Affected Products

Vendors