CVE-2024-7513
📋 TL;DR
CVE-2024-7513 is a critical code execution vulnerability in Rockwell Automation products caused by improper default file permissions. Any user can edit or replace files that are executed with elevated privileges, potentially leading to full system compromise. This affects Rockwell Automation FactoryTalk View SE and other industrial control system software.
💻 Affected Systems
- Rockwell Automation FactoryTalk View SE
📦 What is this software?
Factorytalk View by Rockwellautomation
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining elevated privileges, executing arbitrary code, and potentially taking control of industrial processes.
Likely Case
Unauthorized users gaining elevated privileges to modify system files, install malware, or disrupt operations.
If Mitigated
Limited impact with proper access controls and monitoring in place, potentially only file modification without execution.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained due to improper permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FactoryTalk View SE version 12.00.02 or later
Vendor Advisory: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD%201688.html
Restart Required: Yes
Instructions:
1. Download FactoryTalk View SE version 12.00.02 or later from Rockwell Automation. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart affected systems. 5. Verify proper installation and functionality.
🔧 Temporary Workarounds
Restrict File Permissions
windowsManually adjust file permissions to prevent unauthorized users from modifying critical files.
icacls "C:\Program Files\Rockwell Software\FactoryTalk View\*" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
Implement Least Privilege Access
allEnsure users only have necessary permissions and separate administrative accounts from regular user accounts.
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized file modifications.
- Isolate affected systems from network and implement application whitelisting.
🔍 How to Verify
Check if Vulnerable:
Check FactoryTalk View SE version via Control Panel > Programs and Features. If version is below 12.00.02, system is vulnerable.Check Version:
wmic product where "name like 'FactoryTalk View%'" get versionVerify Fix Applied:
Verify version is 12.00.02 or higher and test file permissions on FactoryTalk View SE directories.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in FactoryTalk directories
- Unexpected process execution with elevated privileges
- Failed permission change attempts
Network Indicators:
- Unusual network traffic from FactoryTalk systems
- Unexpected remote connections to affected systems
SIEM Query:
EventID=4663 OR EventID=4656 AND ObjectName LIKE '%FactoryTalk%' AND AccessMask=0x100