CVE-2024-37367
📋 TL;DR
An authentication bypass vulnerability in Rockwell Automation FactoryTalk View SE v12 allows remote users to access HMI projects without proper authentication. This affects industrial control systems using FactoryTalk View SE v12. Attackers can view sensitive HMI project data that should require authentication.
💻 Affected Systems
- Rockwell Automation FactoryTalk View SE
📦 What is this software?
Factorytalk View by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to HMI projects, potentially learning system layouts, control logic, and sensitive operational data that could facilitate further attacks on industrial processes.
Likely Case
Unauthorized viewing of HMI project files containing system configurations, control logic, and operational parameters that could be used for reconnaissance or planning targeted attacks.
If Mitigated
Limited to information disclosure only if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Vulnerability requires network access to FactoryTalk View SE server but no authentication credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 12.00.01 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1675.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View SE v12.00.01 or later from Rockwell Automation website. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the system.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to FactoryTalk View SE servers to only authorized systems
Firewall Rules
allImplement strict firewall rules to block unauthorized access to FactoryTalk View SE ports
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FactoryTalk View SE systems from untrusted networks
- Deploy intrusion detection systems to monitor for unauthorized access attempts to FactoryTalk View SE services
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View SE version in Control Panel > Programs and Features. If version is 12.00.00 or earlier, system is vulnerable.Check Version:
wmic product where name like "FactoryTalk View SE%" get versionVerify Fix Applied:
Verify version is 12.00.01 or later in Control Panel > Programs and Features. Test that unauthorized users cannot access HMI projects.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to FactoryTalk View SE services
- Failed authentication logs followed by successful project access
Network Indicators:
- Unexpected connections to FactoryTalk View SE ports from unauthorized IP addresses
- Unusual traffic patterns to FactoryTalk SE services
SIEM Query:
source="FactoryTalk" AND (event_type="access" OR event_type="authentication") AND result="success" AND user="unknown"