PatchSiren cyber security CVE debrief
CVE-2024-10945 Rockwell Automation CVE debrief
A local privilege escalation vulnerability in Rockwell Automation FactoryTalk Updater components allows low-privileged attackers to replace files during update operations due to insufficient security checks before installation. The vulnerability affects the Web Client (versions 4.00.00 to 4.20.00), Client (versions below 4.20.00), and Agent (versions below 4.20.00). Published by CISA on November 14, 2024, and updated on November 18, 2024, this HIGH severity issue (CVSS 7.3) requires local access and user interaction but grants high impact on confidentiality, integrity, and availability. Rockwell Automation has released version 4.20.00 as the definitive fix across all affected components.
- Vendor
- Rockwell Automation
- Product
- FactoryTalk Updater - Web Client
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-14
- Original CVE updated
- 2024-11-18
- Advisory published
- 2024-11-14
- Advisory updated
- 2024-11-18
Who should care
Organizations operating Rockwell Automation FactoryTalk Updater in industrial environments, particularly those in manufacturing, critical infrastructure, and operational technology (OT) sectors. System administrators responsible for patch management in ICS/SCADA environments, security teams overseeing OT/IT convergence, and compliance officers managing NERC CIP or IEC 62443 requirements should prioritize assessment. The local attack vector makes this especially relevant for multi-user systems or environments with shared workstation access.
Technical summary
The vulnerability exists in the update mechanism of FactoryTalk Updater components, where insufficient security checks before installation allow a low-privileged local attacker to replace certain files during the update process. This failure to validate file integrity or authenticity before installation execution creates a race condition or substitution opportunity that can be exploited for privilege escalation. The attack requires local access (AV:L), low attack complexity (AC:L), low privileges (PR:L), and user interaction (UI:R), but successful exploitation yields high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The Web Client component is specifically affected in the 4.00.00 to 4.20.00 version range, while Client and Agent components are affected in all versions below 4.20.00.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade FactoryTalk Updater - Web Client to version 4.20.00 or later
- Upgrade FactoryTalk Updater - Client to version 4.20.00 or later
- Upgrade FactoryTalk Updater - Agent to version 4.20.00 or later
- Restrict physical and logical access to servers running FactoryTalk Updater
- Perform database updates by clicking the 'Scan' button after patching
- Review Rockwell Automation security best practices for industrial control systems
- Apply Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization
Evidence notes
CISA CSAF advisory ICSA-24-319-14 identifies three affected product variants: FactoryTalk Updater - Web Client (CSAFPID-0001, versions >=4.00.00|<4.20.00), FactoryTalk Updater - Client (CSAFPID-0002, versions <4.20.00), and FactoryTalk Updater - Agent (CSAFPID-0003, versions <4.20.00). The vulnerability stems from missing security checks during update installation, allowing file replacement by low-privileged local actors. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.
Official resources
-
CVE-2024-10945 CVE record
CVE.org
-
CVE-2024-10945 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published this advisory on November 14, 2024, with Update A released November 18, 2024, to clarify version information and correct critical infrastructure sector details.