CVE-2024-10943
📋 TL;DR
This authentication bypass vulnerability allows attackers to impersonate legitimate users by exploiting shared secrets across accounts. Organizations using affected Rockwell Automation products are at risk, particularly those with internet-facing systems or insufficient network segmentation.
💻 Affected Systems
- Rockwell Automation FactoryTalk View SE
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing unauthorized access to industrial control systems, potential manipulation of physical processes, data exfiltration, and lateral movement across the network.
Likely Case
Unauthorized access to sensitive operational data, configuration changes to industrial equipment, and potential disruption of manufacturing processes.
If Mitigated
Limited impact with proper network segmentation, monitoring, and access controls preventing lateral movement even if initial authentication bypass occurs.
🎯 Exploit Status
Requires attacker to enumerate additional authentication information beyond just the shared secret vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk View SE version 12.00.02
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1710.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View SE version 12.00.02 from Rockwell Automation support portal. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart affected systems. 5. Verify installation and functionality.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FactoryTalk systems from untrusted networks and implement strict firewall rules
Enhanced Monitoring
allImplement detailed logging and monitoring for authentication attempts and user activity
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from internet and untrusted networks
- Enable detailed authentication logging and implement SIEM alerts for suspicious authentication patterns
- Implement multi-factor authentication where possible and review user account permissions
- Regularly audit user accounts and remove unnecessary or dormant accounts
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View SE version in Control Panel > Programs and Features. Versions prior to 12.00.02 are vulnerable.Check Version:
wmic product where name like "FactoryTalk View SE%" get versionVerify Fix Applied:
Verify installed version is 12.00.02 or later and test authentication functionality with various user accounts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login from same source
- Authentication from unusual IP addresses or locations
- User account accessing resources outside normal patterns
Network Indicators:
- Unusual authentication traffic patterns
- Connections from unexpected network segments to FactoryTalk systems
SIEM Query:
source="FactoryTalk" AND (event_type="authentication" AND (result="success" AND previous_hour_result="failure"))