Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1693 ICS Advisory | ICSA-23-080-06 Rockwell Automation ThinManager 22 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Rockwell Automation ThinManager Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2023-28757 CVE-2023-28756 CVE-2023-28755 Original Bulletin: https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-06 Comment: CVSS (Max): 9.8 CVE-2023-28755 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-080-06) Rockwell Automation ThinManager Release Date March 21, 2023 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Rockwell Automation o Equipment: ThinManager ThinServer o Vulnerabilities: Path Traversal, Heap-Based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to potentially perform remote code execution on the target system/device or crash the software. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software, are affected: o ThinManager ThinServer: Versions 6.x - 10.x o ThinManager ThinServer: Versions 11.0.0 - 11.0.5 o ThinManager ThinServer: Versions 11.1.0 - 11.1.5 o ThinManager ThinServer: Versions 11.2.0 - 11.2.6 o ThinManager ThinServer: Versions 12.0.0 - 12.0.4 o ThinManager ThinServer: Versions 12.1.0 - 12.1.5 o ThinManager ThinServer: Versions 13.0.0 - 13.0.1 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution. CVE-2023-28755 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:H/A:H ). 3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 In affected versions, a path traversal exists when processing a type 8 message. An unauthenticated remote attacker could exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed. CVE-2023-28756 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:N/A:N ). 3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122 In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present. An unauthenticated remote attacker could exploit this vulnerability to crash ThinServer.exe due to a read access violation. CVE-2023-28757 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER James Swann of Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Rockwell Automation encourages users to implement the risk mitigations provided below. Users should also combine these mitigations with the general security guidelines, if possible. Rockwell Automation has released the following updates for the affected versions: o Versions 6.x - 10.x: These versions are retired. Users should update to a supported version. o Versions 11.0.0 - 11.0.5: Update to v11.0.6 o Versions 11.1.0 - 11.1.5: Update to v11.1.6 o Versions 11.2.0 - 11.2.6: Update to v11.2.7 o Versions 12.0.0 - 12.0.4: Update to v12.0.5 o Versions 12.1.0 - 12.1.5: Update to v12.1.6 o Versions 13.0.0 - 13.0.1: Update to v13.0.2 If users are unable to update to the patched version, the following mitigations should be put in place to reduce exploitation of this vulnerability: o Limit remote access of port 2031/TCP to known thin clients and ThinManager servers. For additional security best practices, see Rockwell Automation's Knowledgebase article, QA43240 Security Best Practices . For more information, see Rockwell Automation's Security Advisory . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIUAwUBZBpjZckNZI30y1K9AQgKEQ/4pN/0sgbsWPFJnFuxle3wBLXt57IfQnru CvywCmK/SGM+lmKYFWLa/7ICnJTfiVdnonzt0lQN/ijhFeGHfa4Uzh7ESSYSz9iO 9m6yZYIFUE9eP5IWTP9uLASKe3UOi1bTz3ZhzzuYM/4X3Cc6HquWh2yXeBBl5uLU aiXTkDSMP1RCylYWLpXR9MTcS01xWpKniAWar+66eKIt60Fmy03bQRdRGOfuHBoE DyFVKO1idPd0HjvftlxirwSy5bnGLILe9vLYDLDHL0eHXlm+Ty1CxnlukPgufv0y JR2Yn6H52yYAeBIwnb1H/o4oRfXEF+11zwUd+PU+9Q8cGJaCiBatQmvfElSl1eIp Sj0/QLrBBPdfVYY/CcrH2J/7IFoBdSy3r3K8N2q8+BYNE3AdUcgzI5fiNlm2rWv3 oAius8F5fu8QHszjRmZbiJ5a4vgXTiSm92JZc1vv7kMYB1N602gSTCtvZFKZ3KWH UP6LtQjxKm4VQyo9l2jUHR2sJUblpbTeoUOBPdF1+tVt0zWEB6W20TS1VW0JnOGr l8BJvm4GpelSaa611m6fEonRCJcwZS/1MSG+vI6CmzEhVkZzOXUAwe9eCSHLgStz a7pD09LCKGxxpMrsW9MsGGVphT8JDbMZ8Mae364pdMSjP2q6Fsb8ZVPU4r+5Zi0q Vfub7KyDGw== =Y9K5 -----END PGP SIGNATURE-----