CVE-2024-10386 – CVE-2024-10386 is a critical authentication vul... (How to Fix)

Q: What is the severity of CVE-2024-10386?

CVE-2024-10386 has a CVSS score of 9.8 (CRITICAL). CVE-2024-10386 is a critical authentication vulnerability in Rockwell Automation products that allows unauthenticated attackers with network access to send crafted messages to manipulate databases. This affects industrial control systems and could lead to operational disruption. Organizations using affected Rockwell Automation devices are at risk.

📋 TL;DR

CVE-2024-10386 is a critical authentication vulnerability in Rockwell Automation products that allows unauthenticated attackers with network access to send crafted messages to manipulate databases. This affects industrial control systems and could lead to operational disruption. Organizations using affected Rockwell Automation devices are at risk.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk View SE
Rockwell Automation FactoryTalk Linx

Versions: FactoryTalk View SE versions prior to 12.00.02, FactoryTalk Linx versions prior to 6.30.00

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using FactoryTalk services for industrial automation and control.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to physical damage, production shutdown, or safety incidents through database manipulation.

🟠

Likely Case

Unauthorized access to control systems allowing data manipulation, configuration changes, or disruption of industrial processes.

🟢

If Mitigated

Limited impact if network segmentation, authentication controls, and monitoring prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Direct internet exposure would allow remote attackers to exploit this without authentication.

🏢 Internal Only: HIGH - Even internally, any network access to affected devices could lead to exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires network access but no authentication, making exploitation straightforward for attackers with access to the network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FactoryTalk View SE 12.00.02, FactoryTalk Linx 6.30.00

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1708.html

Restart Required: Yes

Instructions:

1. Download patches from Rockwell Automation Security Advisory SD1708. 2. Apply FactoryTalk View SE 12.00.02 update. 3. Apply FactoryTalk Linx 6.30.00 update. 4. Restart affected systems and services. 5. Verify patch installation through version checks.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks using firewalls and VLANs

Access Control Lists

all

Implement strict network access controls to limit connections to FactoryTalk services

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from all untrusted networks
Deploy intrusion detection systems to monitor for exploitation attempts and database manipulation activities

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk View SE version (should be < 12.00.02) and FactoryTalk Linx version (should be < 6.30.00) through Rockwell Automation software management tools

Check Version:

Use Rockwell Automation FactoryTalk Administration Console or check installed programs in Windows Control Panel

Verify Fix Applied:

Verify FactoryTalk View SE version is 12.00.02 or higher and FactoryTalk Linx version is 6.30.00 or higher

📡 Detection & Monitoring

Log Indicators:

Unauthorized authentication attempts to FactoryTalk services
Unexpected database modification events
Unusual network connections to FactoryTalk ports

Network Indicators:

Crafted messages to FactoryTalk services on default ports
Unusual traffic patterns to/from industrial control systems

SIEM Query:

source="FactoryTalk" AND (event_type="authentication_failure" OR event_type="database_modification")

📊 Metadata

CVE ID: CVE-2024-10386

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: October 25, 2024

Last Updated: November 5, 2024

🔗 References

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1708.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10386, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Thinmanager by Rockwellautomation

Thinmanager by Rockwellautomation

Thinmanager by Rockwellautomation

Thinmanager by Rockwellautomation

Thinmanager by Rockwellautomation

Thinmanager by Rockwellautomation

Thinmanager by Rockwellautomation

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Access Control Lists

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities