CVE-2024-6068
📋 TL;DR
A memory corruption vulnerability in Rockwell Automation products allows local attackers to execute arbitrary code or disclose information when users open malicious DFT files. This affects legitimate users who process DFT files in vulnerable software. The vulnerability requires user interaction with a specially crafted file.
💻 Affected Systems
- Rockwell Automation FactoryTalk View SE
- Rockwell Automation FactoryTalk View ME
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with arbitrary code execution leading to data theft, lateral movement, and persistent access.
Likely Case
Information disclosure and limited code execution within the context of the user opening the malicious file.
If Mitigated
No impact if malicious DFT files are prevented from reaching users or if patched versions are deployed.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious DFT file) and knowledge of memory corruption techniques. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See vendor advisory for specific patched versions
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD17011.html
Restart Required: Yes
Instructions:
1. Review vendor advisory SD17011 for affected versions. 2. Download and apply the appropriate patch from Rockwell Automation. 3. Restart affected systems. 4. Test functionality after patching.
🔧 Temporary Workarounds
Restrict DFT file processing
allBlock or restrict processing of DFT files from untrusted sources
User awareness training
allTrain users not to open DFT files from unknown or untrusted sources
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized DFT file execution
- Use network segmentation to isolate vulnerable systems from critical assets
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View version against affected versions listed in advisory SD17011Check Version:
Check version in FactoryTalk View application or via Windows Programs and FeaturesVerify Fix Applied:
Verify installed version matches or exceeds patched versions specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Unexpected DFT file processing
- Application crashes in FactoryTalk View
- Unusual process execution following DFT file access
Network Indicators:
- Unusual file transfers of DFT files
- Network connections from FactoryTalk View to unexpected destinations
SIEM Query:
source="FactoryTalk" AND (event="crash" OR event="error") AND file_extension="dft"