CVE-2024-45823 – CVE-2024-45823 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2024-45823?

CVE-2024-45823 has a CVSS score of 8.1 (HIGH). CVE-2024-45823 is an authentication bypass vulnerability in Rockwell Automation products where shared secrets across accounts allow threat actors to impersonate users if they can enumerate additional authentication information. This affects Rockwell Automation systems using vulnerable authentication mechanisms. Organizations using affected Rockwell products should prioritize patching.

📋 TL;DR

CVE-2024-45823 is an authentication bypass vulnerability in Rockwell Automation products where shared secrets across accounts allow threat actors to impersonate users if they can enumerate additional authentication information. This affects Rockwell Automation systems using vulnerable authentication mechanisms. Organizations using affected Rockwell products should prioritize patching.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk products

Versions: Specific versions not detailed in advisory - check vendor advisory for exact affected versions

Operating Systems: Windows-based systems running FactoryTalk

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using FactoryTalk authentication with shared secrets across accounts

📦 What is this software?

Factorytalk Batch View by Rockwellautomation

View all CVEs affecting Factorytalk Batch View →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing unauthorized access to industrial control systems, potential manipulation of physical processes, data theft, and operational disruption.

🟠

Likely Case

Unauthorized access to user accounts leading to data exposure, configuration changes, and limited system manipulation depending on user privileges.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and compensating controls preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires enumeration of additional authentication information beyond just shared secrets

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201698.html

Restart Required: Yes

Instructions:

1. Review vendor advisory SD 1698. 2. Identify affected products and versions. 3. Apply vendor-provided patches. 4. Restart affected systems. 5. Verify patch application.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected systems from untrusted networks and implement strict access controls

Enhanced Monitoring

all

Implement strict authentication logging and monitoring for suspicious access patterns

🧯 If You Can't Patch

Implement network segmentation to isolate affected systems
Enable detailed authentication logging and monitor for suspicious access patterns

🔍 How to Verify

Check if Vulnerable:

Check system version against vendor advisory and verify if using FactoryTalk authentication with shared secrets

Check Version:

Check FactoryTalk version through product interface or vendor documentation

Verify Fix Applied:

Verify patch version installed matches vendor recommendations and test authentication mechanisms

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login from unusual locations
Authentication events showing shared secret usage patterns

Network Indicators:

Unusual authentication traffic patterns
Access attempts from unauthorized IP ranges

SIEM Query:

Authentication logs where source_ip NOT IN allowed_ranges AND authentication_method='shared_secret'

📊 Metadata

CVE ID: CVE-2024-45823

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: September 12, 2024

Last Updated: October 2, 2024

🔗 References

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201698.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45823, you might also want to check these: