CVE-2024-2637
📋 TL;DR
This CVE describes an Uncontrolled Search Path Element vulnerability in multiple B&R Industrial Automation products that allows an authenticated local attacker to execute arbitrary code by placing malicious files in the application's loading search path. The vulnerability affects numerous industrial automation software components including HMI systems, drivers, and development tools. Attackers with local access can escalate privileges or compromise affected systems.
💻 Affected Systems
- Scene Viewer
- Automation Runtime
- mapp Vision
- mapp View
- mapp Cockpit
- mapp Safety
- VC4
- APROL
- CAN Driver
- CAN Driver CC770
- CAN Driver SJA1000
- Tou0ch Lock
- B&R Single-Touch Driver
- Serial User Mode Touch Driver
- Windows Settings Changer (LTSC)
- Windows Settings Changer (2019 LTSC)
- Windows 10 Recovery Solution
- ADI driver universal
- ADI Development Kit
- ADI .NET SDK
- SRAM driver
- HMI Service Center
- HMI Service Center Maintenance
- Windows 10 IoT Enterprise 2019 LTSC
- KCF Editor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with the privileges of the vulnerable application, potentially leading to industrial process disruption, data theft, or lateral movement within OT networks.
Likely Case
Local privilege escalation allowing authenticated attackers to gain higher privileges on affected systems, potentially compromising industrial control systems or stealing sensitive operational data.
If Mitigated
Limited impact with proper access controls, network segmentation, and least privilege principles in place, though the vulnerability still presents a security weakness.
🎯 Exploit Status
Exploitation requires authenticated local access and knowledge of the application's search path. The vulnerability is in the DLL/component loading mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Various versions as specified in CVE description (e.g., Scene Viewer 4.4.0+, Automation Runtime J4.93+, etc.)
Vendor Advisory: https://www.br-automation.com/fileadmin/SA24P005_Insecure_Loading_of_Code-c7d9e49c.pdf
Restart Required: Yes
Instructions:
1. Identify affected B&R products in your environment. 2. Download and apply the appropriate patches from B&R Automation. 3. Restart affected systems and applications. 4. Verify patch installation through version checks.
🔧 Temporary Workarounds
Restrict File System Permissions
windowsLimit write access to directories in the application's search path to prevent malicious file placement.
icacls "C:\Program Files\BR\*" /deny "Users":(OI)(CI)W
icacls "C:\ProgramData\BR\*" /deny "Users":(OI)(CI)W
Implement Application Whitelisting
windowsUse application control solutions to prevent execution of unauthorized binaries from search path locations.
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to affected systems
- Segment industrial control networks to prevent lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check installed versions of B&R products against the vulnerable version ranges specified in the CVE description.Check Version:
Check through B&R Automation Studio or product-specific version utilities. For Windows systems: wmic product where "vendor like '%%BR%%'" get name, versionVerify Fix Applied:
Verify that all B&R products are updated to the patched versions listed in the CVE description.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL/component loading from unusual directories
- Failed attempts to write to protected directories in application search paths
- Process creation from non-standard locations by B&R applications
Network Indicators:
- Unusual outbound connections from industrial control systems
- Lateral movement attempts from OT to IT networks
SIEM Query:
source="windows" AND (process_name="*.exe" AND process_path="*BR*" AND parent_process!="expected_parent") OR (event_id=4688 AND new_process_name="*.dll" AND process_path="*BR*")