Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1693
ICS Advisory | ICSA-23-080-06 Rockwell Automation ThinManager
22 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Rockwell Automation ThinManager
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2023-28757 CVE-2023-28756 CVE-2023-28755
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-06
Comment: CVSS (Max): 9.8 CVE-2023-28755 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-23-080-06)
Rockwell Automation ThinManager
Release Date
March 21, 2023
1. EXECUTIVE SUMMARY
o CVSS v3 9.8
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Rockwell Automation
o Equipment: ThinManager ThinServer
o Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to
potentially perform remote code execution on the target system/device or crash
the software.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation ThinManager ThinServer, a thin
client and remote desktop protocol (RDP) server management software, are
affected:
o ThinManager ThinServer: Versions 6.x - 10.x
o ThinManager ThinServer: Versions 11.0.0 - 11.0.5
o ThinManager ThinServer: Versions 11.1.0 - 11.1.5
o ThinManager ThinServer: Versions 11.2.0 - 11.2.6
o ThinManager ThinServer: Versions 12.0.0 - 12.0.4
o ThinManager ThinServer: Versions 12.1.0 - 12.1.5
o ThinManager ThinServer: Versions 13.0.0 - 13.0.1
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
In affected versions, a path traversal exists when processing a message. An
unauthenticated remote attacker could potentially exploit this vulnerability to
upload arbitrary files to any directory on the disk drive where ThinServer.exe
is installed. The attacker could overwrite existing executable files with
attacker-controlled, malicious contents, potentially causing remote code
execution.
CVE-2023-28755 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/
I:H/A:H ).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH
TRAVERSAL') CWE-22
In affected versions, a path traversal exists when processing a type 8 message.
An unauthenticated remote attacker could exploit this vulnerability to download
arbitrary files on the disk drive where ThinServer.exe is installed.
CVE-2023-28756 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/
I:N/A:N ).
3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122
In affected versions, a heap-based buffer over-read condition occurs when the
message field indicates more data than is present. An unauthenticated remote
attacker could exploit this vulnerability to crash ThinServer.exe due to a read
access violation.
CVE-2023-28757 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/
I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
James Swann of Rockwell Automation reported these vulnerabilities to CISA.
4. MITIGATIONS
Rockwell Automation encourages users to implement the risk mitigations provided
below. Users should also combine these mitigations with the general security
guidelines, if possible.
Rockwell Automation has released the following updates for the affected
versions:
o Versions 6.x - 10.x: These versions are retired. Users should update to a
supported version.
o Versions 11.0.0 - 11.0.5: Update to v11.0.6
o Versions 11.1.0 - 11.1.5: Update to v11.1.6
o Versions 11.2.0 - 11.2.6: Update to v11.2.7
o Versions 12.0.0 - 12.0.4: Update to v12.0.5
o Versions 12.1.0 - 12.1.5: Update to v12.1.6
o Versions 13.0.0 - 13.0.1: Update to v13.0.2
If users are unable to update to the patched version, the following mitigations
should be put in place to reduce exploitation of this vulnerability:
o Limit remote access of port 2031/TCP to known thin clients and ThinManager
servers.
For additional security best practices, see Rockwell Automation's Knowledgebase
article, QA43240 Security Best Practices .
For more information, see Rockwell Automation's Security Advisory .
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target these vulnerabilities.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIUAwUBZBpjZckNZI30y1K9AQgKEQ/4pN/0sgbsWPFJnFuxle3wBLXt57IfQnru
CvywCmK/SGM+lmKYFWLa/7ICnJTfiVdnonzt0lQN/ijhFeGHfa4Uzh7ESSYSz9iO
9m6yZYIFUE9eP5IWTP9uLASKe3UOi1bTz3ZhzzuYM/4X3Cc6HquWh2yXeBBl5uLU
aiXTkDSMP1RCylYWLpXR9MTcS01xWpKniAWar+66eKIt60Fmy03bQRdRGOfuHBoE
DyFVKO1idPd0HjvftlxirwSy5bnGLILe9vLYDLDHL0eHXlm+Ty1CxnlukPgufv0y
JR2Yn6H52yYAeBIwnb1H/o4oRfXEF+11zwUd+PU+9Q8cGJaCiBatQmvfElSl1eIp
Sj0/QLrBBPdfVYY/CcrH2J/7IFoBdSy3r3K8N2q8+BYNE3AdUcgzI5fiNlm2rWv3
oAius8F5fu8QHszjRmZbiJ5a4vgXTiSm92JZc1vv7kMYB1N602gSTCtvZFKZ3KWH
UP6LtQjxKm4VQyo9l2jUHR2sJUblpbTeoUOBPdF1+tVt0zWEB6W20TS1VW0JnOGr
l8BJvm4GpelSaa611m6fEonRCJcwZS/1MSG+vI6CmzEhVkZzOXUAwe9eCSHLgStz
a7pD09LCKGxxpMrsW9MsGGVphT8JDbMZ8Mae364pdMSjP2q6Fsb8ZVPU4r+5Zi0q
Vfub7KyDGw==
=Y9K5
-----END PGP SIGNATURE-----