CSIRT-CAN – Centro de Respuesta a Incidentes de Seguridad de Canarias

[SCI] Multiple vulnerabilities in Power Monitor 1000 de Rockwell Automation

Introduction

Vera Mens, from Claroty Research – Team82, has reported three critical vulnerabilities whose exploitation could allow an attacker to perform editing operations, create administrator users, perform a factory reset, execute arbitrary code, or cause a denial-of-service condition. [1]

Analysis

The critical vulnerabilities found are as follows [2]:

  • CVE-2024-12371 – Missing Authentication for Critical Function (CWE-306): A device takeover vulnerability exists in Rockwell Automation Power Monitor 1000. This vulnerability allows the configuration of a new policyholder user without any authentication through the API. The policyholder user is the most privileged user who can perform editing operations, create administrator users, and perform factory resets.
  • CVE-2024-12372 – Improper Control of Code Generation (Code Injection) (CWE-94): A denial-of-service vulnerability and possible remote code execution exist in Rockwell Automation Power Monitor 1000. The vulnerability causes heap memory corruption, which can compromise system integrity and potentially allow remote code execution or a denial-of-service attack.
  • CVE-2024-12373 – Buffer Copy Without Checking Size of Input (Classic Buffer Overflow) (CWE-94): A denial-of-service vulnerability exists in Rockwell Automation Power Monitor 1000. The vulnerability causes a buffer overflow, potentially resulting in a denial-of-service condition.

The affected product series are:

  • PM1k 1408-BC3A-485: versions prior to 4.020;
  • PM1k 1408-BC3A-ENT: versions prior to 4.020;
  • PM1k 1408-TS3A-485: versions prior to 4.020;
  • PM1k 1408-TS3A-ENT: versions prior to 4.020;
  • PM1k 1408-EM3A-485: versions prior to 4.020;
  • PM1k 1408-EM3A-ENT: versions prior to 4.020;
  • PM1k 1408-TR1A-485: versions prior to 4.020;
  • PM1k 1408-TR2A-485: versions prior to 4.020;
  • PM1k 1408-EM1A-485: versions prior to 4.020;
  • PM1k 1408-EM2A-485: versions prior to 4.020;
  • PM1k 1408-TR1A-ENT: versions prior to 4.020;
  • PM1k 1408-TR2A-ENT: versions prior to 4.020;
  • PM1k 1408-EM1A-ENT: versions prior to 4.020;

Recommendations

Rockwell Automation has addressed the reported vulnerabilities in firmware version 4.020 and recommends users upgrade to the latest available version.

References

[1] ICSA-24-352-03: Rockwell Automation PowerMonitor 1000 Remote

[2] SD1714: PowerMonitor 1000 Remote Code Execution and Denial-of-Service Vulnerabilities via HTTP Protocol