Researchers from cybersecurity firm Tenable have identified vulnerabilities in Rockwell Automation’s ThinManager ThinServer product that could be exploited to target industrial control systems (ICS). The vulnerabilities, labeled as CVE-2023-2914, CVE-2023-2915, and CVE-2023-2917, are critical and high-severity. These flaws stem from improper input validation, leading to potential integer overflow or path traversal. Worryingly, remote attackers can exploit these vulnerabilities without prior authentication by sending specially crafted synchronization protocol messages.
The consequences of such exploitation include causing a denial-of-service (DoS) condition, deleting files with system privileges, and uploading files to any folder where ThinServer.exe resides. Tenable reported these vulnerabilities to Rockwell in May. On August 17, Rockwell informed its customers about available patches, coinciding with Tenable’s release of technical details. Although Tenable has crafted proof-of-concept exploits, they remain undisclosed to the public.
Tenable highlighted to SecurityWeek that the sole requirement for exploitation is network access to the vulnerable server. If the server is connected and exposed online, direct exploitation from the internet is feasible, albeit against Rockwell’s best practices. Tenable warned, “Successful exploitation can grant attackers full control of the ThinServer. The real-world ramifications hinge on the environment, server setup, and the content types the server accesses.”
The product is primarily used for human-machine interfaces (HMIs) that control and monitor industrial equipment. Attackers could potentially access these HMIs or pivot from the server to target other network assets. The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory regarding these vulnerabilities. Recent revelations indicate that threat actors are eyeing Rockwell Automation product vulnerabilities, emphasizing the need for heightened security measures.
Source: SecurityWeek
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.