CVE-2024-40620
📋 TL;DR
This vulnerability allows unencrypted transmission of sensitive data between Console and Dashboard components in Rockwell Automation products. Attackers monitoring network traffic could intercept confidential information. Organizations using affected Rockwell Automation products are impacted.
💻 Affected Systems
- Rockwell Automation FactoryTalk View Site Edition
📦 What is this software?
Pavilion8 by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of sensitive operational data including credentials, configuration details, and proprietary information to attackers, potentially enabling further system compromise.
Likely Case
Interception of sensitive data by network-based attackers or malicious insiders, leading to information disclosure and potential credential theft.
If Mitigated
Limited impact with proper network segmentation and monitoring, though data confidentiality remains at risk during transmission.
🎯 Exploit Status
Exploitation requires network access to intercept traffic between Console and Dashboard components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk View Site Edition version 13.0.1 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201691.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View Site Edition version 13.0.1 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Console and Dashboard communication to trusted network segments to limit exposure.
VPN/Encrypted Tunnel
allRoute Console-Dashboard traffic through encrypted VPN tunnels.
🧯 If You Can't Patch
- Implement strict network segmentation between Console and Dashboard components.
- Deploy network monitoring and intrusion detection systems to detect traffic interception attempts.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View Site Edition version - if running version 13.0 or earlier, system is vulnerable.Check Version:
Check version in FactoryTalk View Site Edition application or Windows Programs and Features.Verify Fix Applied:
Verify installation of FactoryTalk View Site Edition version 13.0.1 or later and confirm encrypted communication between Console and Dashboard.📡 Detection & Monitoring
Log Indicators:
- Unencrypted traffic logs in proxy servers between Console and Dashboard IPs
- Network monitoring alerts for cleartext sensitive data transmission
Network Indicators:
- Cleartext traffic on ports used by FactoryTalk View between Console and Dashboard components
- Lack of TLS/SSL encryption in Console-Dashboard communications
SIEM Query:
source_ip IN (console_ips) AND dest_ip IN (dashboard_ips) AND protocol=tcp AND NOT (tls_version EXISTS OR ssl_version EXISTS)