Rockwell Automation ThinManager Vulnerabilities Pose Threat to Industrial Control Systems

August 24, 2023

Researchers from cybersecurity firm Tenable have discovered significant vulnerabilities in Rockwell Automation’s ThinManager ThinServer. This software is used for managing thin client and RDP servers. The vulnerabilities, designated as CVE-2023-2914, CVE-2023-2915, and CVE-2023-2917, are categorized as one critical and two high-severity.

These flaws are described as improper input validation issues that could lead to an integer overflow or path traversal. Remote attackers can exploit these vulnerabilities without any prior authentication by sending specifically designed synchronization protocol messages. Successful exploitation could result in a denial-of-service (DoS) condition, deletion of arbitrary files with system privileges, and uploading of arbitrary files to any folder on the drive where ThinServer.exe is installed.

Tenable reported these vulnerabilities to Rockwell Automation in May. On August 17, the same day that Tenable released technical details, Rockwell Automation informed its customers about the availability of patches. Tenable has created proof-of-concept (PoC) exploits but has not made them publicly available.

According to Tenable, the only prerequisite for exploiting these vulnerabilities is access to the network hosting the vulnerable server. It is also possible to exploit these vulnerabilities directly from the internet if the server is connected and exposed, although this is against vendor’s recommended best practices.

Tenable stated, 'Successful exploitation can allow complete attacker control of the ThinServer. The real world impact of this access depends on the environment, server configuration and the content types the server is configured on and intended to access.' The software in question is typically used for HMIs, which are used to control and monitor industrial equipment. An attacker could potentially gain access to these HMIs and use the server as a launchpad for attacking other network assets.

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an advisory about these vulnerabilities. Threat actors could potentially target these vulnerabilities in Rockwell Automation products in their operations. An unnamed APT has reportedly targeted two ControlLogix vulnerabilities that could be leveraged to disrupt or destroy critical infrastructure organizations. Rockwell has identified a 'new exploit capability,' but there is no evidence yet of these vulnerabilities being exploited in the wild.

Latest News

• FBI Declares Barracuda ESG Zero-Day Patches Ineffective
• Exploitation of WinRAR Zero-Day Vulnerability to Breach Cryptocurrency Trading Accounts
• Unpatched Openfire Servers at Risk Due to Recently Discovered Vulnerability
• Cuba Ransomware Group's Sophisticated Cyberattack Techniques Unveiled
• CISA Adds Critical Adobe ColdFusion Vulnerability to Its Exploited Catalog