CVE-2024-6079 Rockwell Automation CVE debrief

Who should care

Organizations running Rockwell Automation Emulate3D version 17.00.00.13276 in industrial control system environments, particularly those with multi-user access to engineering workstations or shared development systems.

Technical summary

The vulnerability stems from Emulate3D loading shared libraries from directories with overly permissive access controls (readable and writable by any user). An attacker with local access and low privileges can place a malicious DLL in these directories, which the application will then load and execute when launched by a legitimate user. This is a classic DLL hijacking attack pattern where the application’s library search order or insecure permissions enable arbitrary code execution. The attack requires user interaction (a legitimate user must launch the application) and has high attack complexity due to the need for precise timing and placement, but successful exploitation grants the attacker high impact across confidentiality, integrity, and availability.

Defensive priority

medium

Recommended defensive actions

• Update Rockwell Automation Emulate3D to version 17.00.00.13348 or later.
• Apply Rockwell Automation suggested security best practices for industrial automation control systems.
• Use Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization.
• Review and restrict file system permissions on shared library directories to prevent unauthorized DLL placement.
• Monitor for unexpected DLL loads in Emulate3D processes.

Evidence notes

CISA published advisory ICSA-24-235-01 on 2024-08-22 identifying this vulnerability. The affected product is Rockwell Automation Emulate3D version 17.00.00.13276. The CVSS 3.1 vector (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates local attack vector with high attack complexity, requiring low privileges and user interaction, but resulting in high impact to confidentiality, integrity, and availability.

Official resources