Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks
Rockwell Automation ThinManager ThinServer vulnerabilities could allow remote attackers to take control of servers and hack HMIs.
By
Vulnerabilities discovered by researchers in Rockwell Automation’s ThinManager ThinServer product could be exploited in attacks aimed at industrial control systems (ICS).
Researchers at cybersecurity firm Tenable discovered one critical and two high-severity vulnerabilities in ThinManager ThinServer, a thin client and RDP server management software offered by Rockwell. The flaws are tracked as CVE-2023-2914, CVE-2023-2915 and CVE-2023-2917.
The security holes have been described as improper input validation issues that can lead to integer overflow or path traversal. The flaws can be exploited by remote attackers — without prior authentication — by sending specially crafted synchronization protocol messages.
Exploitation of the vulnerabilities can allow causing a denial-of-service (DoS) condition, deleting arbitrary files with system privileges, and uploading arbitrary files to any folder on the drive where ThinServer.exe is installed.
The vulnerabilities were reported to the vendor in May and Tenable released technical details on August 17, the same day Rockwell Automation informed customers about the availability of patches (advisory for registered users). Tenable has also developed proof-of-concept (PoC) exploits, but it has not made them public.
Tenable told SecurityWeek that the only requirement for exploitation is access to the network hosting the vulnerable server. Exploitation directly from the internet is also possible if the server is connected and exposed to the web, but this goes against the vendor’s recommended best practices.
“Successful exploitation can allow complete attacker control of the ThinServer,” Tenable said. “The real world impact of this access depends on the environment, server configuration and the content types the server is configured on and intended to access.”
The company noted that the product is typically used for human-machine interfaces (HMIs) used to control and monitor industrial equipment.
“An attacker would be able to give themself access to these HMIs. An attacker could also pivot from the server to attack other assets on the network,” Tenable said.
The US Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory this week to inform organizations about these vulnerabilities.
Rockwell Automation product vulnerabilities could be targeted by threat actors in their operations. It recently came to light that an unnamed APT has set its sights on two ControlLogix vulnerabilities that could be exploited to cause disruption or destruction in critical infrastructure organizations.
Rockwell discovered what it described as a “new exploit capability”, but there had been no evidence of exploitation in the wild.
Related: New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs
Related: Organizations Informed of Over a Dozen Vulnerabilities in Rockwell Automation Products
Related: US Probing Cybersecurity Risks of Rockwell Automation’s China Operations
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.(Marie Hattar)
Just as a professional football team needs coordination, strategy and adaptability to secure a win on the field, a well-rounded cybersecurity strategy must address specific challenges and threats.(Matt Wilson)
As the SEC cyber incident disclosure rules come into effect, organizations will be forced to seriously consider giving security leaders a seat at the table.(Marc Solomon)
Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.(Matt Honea)
The complexity and challenge of distributed cloud environments often necessitate managing multiple infrastructure, technology, and security stacks, multiple policy engines, multiple sets of controls, and multiple asset inventories.(Joshua Goldfarb)
The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...
Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...
Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).
Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.
Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.
Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...
More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.
Vulnerabilities discovered by researchers in Rockwell Automation’s ThinManager ThinServer product could be exploited in attacks aimed at industrial control systems (ICS). Learn More at SecurityWeek’s ICS Cyber Security ConferenceRelatedRelatedRelated