CVE-2024-6325 – This CVE appears to reference a vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-6325?

CVE-2024-6325 has a CVSS score of 6.5 (MEDIUM). This CVE appears to reference a vulnerability in Rockwell Automation FactoryTalk Policy Manager where improper privilege management (CWE-269) could allow attackers to gain elevated privileges. The description suggests issues with CIP security implementation and failure to update to patched versions addressing previous CVEs. Industrial control systems using affected FactoryTalk versions are impacted.

📋 TL;DR

This CVE appears to reference a vulnerability in Rockwell Automation FactoryTalk Policy Manager where improper privilege management (CWE-269) could allow attackers to gain elevated privileges. The description suggests issues with CIP security implementation and failure to update to patched versions addressing previous CVEs. Industrial control systems using affected FactoryTalk versions are impacted.

💻 Affected Systems

Products:

Rockwell Automation FactoryTalk Policy Manager

Versions: v6.40 and potentially earlier versions (based on referenced CVEs)

Operating Systems: Windows (typical for industrial control systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Systems that did not update to versions addressing CVE-2021-22681 and CVE-2022-1161 remain vulnerable. CIP security implementation issues may affect communication protocols.

📦 What is this software?

Factorytalk Policy Manager by Rockwellautomation

View all CVEs affecting Factorytalk Policy Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative privileges on industrial control systems, potentially allowing disruption of manufacturing processes, data theft, or physical damage to equipment.

🟠

Likely Case

Unauthorized users could escalate privileges to access sensitive industrial control system configurations and modify operational parameters.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to isolated systems with minimal operational disruption.

🌐 Internet-Facing: MEDIUM - While industrial systems shouldn't be internet-facing, misconfigurations could expose them, and the CVSS 6.5 score indicates moderate risk.

🏢 Internal Only: HIGH - Industrial control systems are critical infrastructure; internal compromise could lead to significant operational impact.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

CWE-269 typically requires some level of access to exploit. The CVSS 6.5 suggests moderate attack complexity. No public exploit code mentioned in provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided text, but references suggest updates addressing CVE-2021-22681 and CVE-2022-1161

Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1678.html

Restart Required: Yes

Instructions:

1. Review Rockwell advisory SD1678. 2. Apply recommended updates for FactoryTalk Policy Manager. 3. Verify CIP security configuration. 4. Restart affected systems. 5. Test functionality post-update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FactoryTalk systems from general corporate networks and internet access

Access Control Hardening

all

Implement strict role-based access controls and multi-factor authentication

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Enhance monitoring for privilege escalation attempts and abnormal access patterns

🔍 How to Verify

Check if Vulnerable:

Check FactoryTalk Policy Manager version against affected versions in Rockwell advisory SD1678

Check Version:

Check within FactoryTalk Policy Manager interface or Windows Programs and Features

Verify Fix Applied:

Verify version is updated beyond vulnerable releases and test CIP security functionality

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Abnormal access to FactoryTalk administrative functions
Failed authentication followed by successful privileged access

Network Indicators:

Unexpected CIP protocol traffic patterns
Unauthorized access attempts to FactoryTalk ports

SIEM Query:

source="FactoryTalk" AND (event_type="privilege_escalation" OR user="*" AND action="admin_access")

📊 Metadata

CVE ID: CVE-2024-6325

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-269

Published: July 16, 2024

Last Updated: November 21, 2024

🔗 References

https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1678.html Mitigation,Vendor Advisory
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1678.html Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6325, you might also want to check these: