Loading

ThinManager® ThinServer™ Information Disclosure and Remote Code Execution Vulnerabilities

Severity:
Medium,
High,
Critical
Advisory ID:
SD1692
Published Date:
August 21, 2024
Last Updated:
November 19, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
CVE IDs
CVE-2024-7986,
CVE 2024-7987,
CVE 2024 -7988
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
Summary
ThinManager® ThinServer™ Information Disclosure and Remote Code Execution Vulnerabilities

Published Date: 8/22/24

Last updated: 8/22/24

Revision Number: 1.0

CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

ThinManager® ThinServer™

11.1.0-11.1.7
11.2.0-11.2.8
12.0.0-12.0.6
12.1.0-12.1.7
13.0.0-13.0.4
13.1.0-13.1.2
13.2.0-13.2.1

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.

CVE-2024-7986 IMPACT

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

CVSS Base Score v3.1: 5.5/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score v4.0: 6.8/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database:  No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

CVE-2024-7987 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

CVSS Base Score v3.1: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource

 

CVE-2024-7988 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS Base Score v3.1: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Mitigations and Workarounds

Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.

·       Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2024-7986

·       JSON CVE 2024-7987

·       JSON CVE 2024 -7988

Copyright ©2022 Rockwell Automation, Inc.