CVE-2024-37365
📋 TL;DR
This CVE describes a remote code execution vulnerability in Rockwell Automation products where users can save projects to a public directory, allowing local file modification/deletion. Attackers could exploit this to escalate privileges and execute arbitrary code via macro manipulation. Organizations using affected Rockwell Automation software are at risk.
💻 Affected Systems
- Rockwell Automation FactoryTalk View Site Edition
📦 What is this software?
Factorytalk View by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining administrative privileges, executing arbitrary code, and potentially pivoting to other systems in the network.
Likely Case
Unauthorized file modification or deletion in public directories, potential privilege escalation within the affected application.
If Mitigated
Limited to local file access within the public directory scope if proper access controls are implemented.
🎯 Exploit Status
Exploitation requires local access to the system and knowledge of the vulnerable directory structure. Privilege escalation through macro manipulation adds complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 13.0.1 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1709.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View Site Edition version 13.0.1 or later from Rockwell Automation. 2. Backup existing projects and configurations. 3. Run the installer with administrative privileges. 4. Follow installation wizard prompts. 5. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict Public Directory Permissions
windowsModify file system permissions to prevent unauthorized access to the public project directory.
icacls "C:\ProgramData\Rockwell Automation\FactoryTalk View SE\Projects\Public" /deny Users:(OI)(CI)F
icacls "C:\ProgramData\Rockwell Automation\FactoryTalk View SE\Projects\Public" /grant Administrators:(OI)(CI)F
Disable Project Saving to Public Directory
windowsConfigure application settings to prevent users from saving projects to the vulnerable public directory.
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the affected systems.
- Monitor file system changes in the public project directory for unauthorized modifications.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View Site Edition version in Control Panel > Programs and Features. If version is below 13.0.1, the system is vulnerable.Check Version:
wmic product where "name like 'FactoryTalk View Site Edition%'" get versionVerify Fix Applied:
Verify version is 13.0.1 or higher in Control Panel > Programs and Features, and test that project saving to public directory is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual file modifications in FactoryTalk View project directories
- Failed permission attempts to public project directory
- Unexpected macro execution events
Network Indicators:
- Unusual network connections from FactoryTalk View processes
- Lateral movement attempts from affected systems
SIEM Query:
EventID=4663 AND ObjectName LIKE '%FactoryTalk View SE%Projects%Public%' AND AccessMask=0x100