PatchSiren cyber security CVE debrief
CVE-2024-10943 Rockwell Automation CVE debrief
A critical authentication bypass vulnerability in Rockwell Automation FactoryTalk Updater components allows threat actors to impersonate users by exploiting shared secrets across accounts. The vulnerability stems from improper credential management where authentication secrets are not uniquely assigned per user account, enabling impersonation attacks when combined with enumerated supplementary authentication information. The affected components include the Web Client (versions 4.00.00 through 4.20.00), Client (versions prior to 4.20.00), and Agent (versions prior to 4.20.00). Rockwell Automation released version 4.20.00 to address this vulnerability across all affected components. CISA published the initial advisory on November 14, 2024, with an update on November 18, 2024, clarifying version information and correcting critical infrastructure sector details. The CVSS 3.1 score of 9.1 reflects network accessibility, low attack complexity, no required privileges, and high impacts to confidentiality and integrity. Organizations should prioritize updating to version 4.20.00 and implement network access controls to limit exposure of FactoryTalk Updater servers.
- Vendor
- Rockwell Automation
- Product
- FactoryTalk Updater - Web Client
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-14
- Original CVE updated
- 2024-11-18
- Advisory published
- 2024-11-14
- Advisory updated
- 2024-11-18
Who should care
Organizations operating Rockwell Automation FactoryTalk Updater in industrial control environments, particularly those with Web Client deployments since version 4.00.00 or any Client/Agent installations below version 4.20.00. Critical infrastructure operators in manufacturing, energy, and process industries should prioritize patching due to the network-accessible attack vector and potential for unauthorized system access.
Technical summary
The vulnerability exists in the authentication mechanism of FactoryTalk Updater components where shared secrets are used across multiple user accounts rather than unique credentials per account. A threat actor with network access who can enumerate additional required authentication information can leverage these shared secrets to impersonate legitimate users. The attack requires no privileges and no user interaction, with successful exploitation granting high impact to confidentiality and integrity of the affected system. The Web Client is affected in versions 4.00.00 through 4.20.00, while the Client and Agent are affected in all versions prior to 4.20.00. Remediation requires updating all components to version 4.20.00, which implements proper per-account credential isolation.
Defensive priority
critical
Recommended defensive actions
- Update FactoryTalk Updater Web Client to version 4.20.00 or later
- Update FactoryTalk Updater Client to version 4.20.00 or later
- Update FactoryTalk Updater Agent to version 4.20.00 or later
- Restrict network access to FactoryTalk Updater servers to authorized administrative hosts only
- Apply security best practices for industrial automation control systems per vendor guidance
- Use Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-24-319-14 on November 14, 2024, with Update A published November 18, 2024. Advisory confirms shared secrets across accounts as root cause and specifies exact affected version ranges. Vendor fix version 4.20.00 confirmed across Web Client, Client, and Agent components.
Official resources
-
CVE-2024-10943 CVE record
CVE.org
-
CVE-2024-10943 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-14