PatchSiren cyber security CVE debrief
CVE-2024-6236 Rockwell Automation CVE debrief
CVE-2024-6236 is a medium-severity information exposure vulnerability in Rockwell Automation FactoryTalk System Services and FactoryTalk Policy Manager version 6.40. Published on July 11, 2024, the flaw stems from insufficient permissions on backup folders used during backup or restore operations. When these processes run, sensitive materials—including private keys, passwords, pre-shared keys, and database folders—are temporarily copied to an interim folder where they may be accessible to malicious local users. Successful acquisition of private keys could enable impersonation of resources on the secured network. The vulnerability is rated CVSS 3.1 5.9 (Medium) with a vector of AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N, indicating local attack vector, low attack complexity, low privileges required, user interaction needed, scope change, and high confidentiality impact with no integrity or availability impact. CISA published advisory ICSA-24-193-19 on the same date. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Rockwell Automation
- Product
- FactoryTalk System Services
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-11
- Original CVE updated
- 2024-07-11
- Advisory published
- 2024-07-11
- Advisory updated
- 2024-07-11
Who should care
Organizations operating Rockwell Automation FactoryTalk System Services or FactoryTalk Policy Manager version 6.40 in industrial control environments, particularly those using CIP Security for device authentication and encryption. Security teams responsible for OT/ICS asset protection, network administrators managing FactoryTalk deployments, and compliance officers overseeing critical infrastructure security should prioritize assessment and remediation.
Technical summary
The vulnerability exists in FactoryTalk System Services version 6.40 where backup and restore operations copy sensitive cryptographic material to an interim folder without explicit access controls. The affected path c:ProgramDataRockwellRNAServerGlobalRnaStoreFTSS_Backup and the keystore directory c:ProgramDataRockwell AutomationFactoryTalk System Serviceskeystore are created with permissions that allow local users to read private keys, pre-shared keys, and database contents during the brief window of the backup operation. The FactoryTalk Policy Manager component at version 6.40 is similarly affected as it manages the security policies that rely on these keys. The attack requires local access and user interaction to trigger a backup or restore, but successful exploitation yields high-value credentials that could enable lateral movement and resource impersonation within the secured industrial network. The fix in version 6.40.01 addresses the permission model, and the vendor mandates complete key regeneration to ensure no previously exposed credentials remain valid.
Defensive priority
medium
Recommended defensive actions
- Update FactoryTalk System Services and FactoryTalk Policy Manager to version 6.40.01 to address the insecure backup folder permissions
- Prior to update, remove deployed security policies from all devices using FactoryTalk Policy Manager, documenting zone and conduit settings for recreation
- Delete the FTSS_backup folder at c:ProgramDataRockwellRNAServerGlobalRnaStoreFTSS_Backup to remove potentially exposed interim copies
- Delete the keystore folder and any backup copies with timestamped suffixes from the FactoryTalk System Services directory
- Delete the PSKs.json file and any backup copies with timestamped suffixes from the FactoryTalk System Services directory
- Regenerate new private keys and digital certificates after cleanup to invalidate any potentially compromised credentials
- Redeploy CIP Security policies after completing the update and key regeneration process
- Implement least-privilege access controls on ProgramData subdirectories to prevent unauthorized access to sensitive configuration files
Evidence notes
Vulnerability description and affected products confirmed via CISA CSAF advisory ICSA-24-193-19. CVSS vector and score sourced from official CISA CSAF document. Remediation steps including version 6.40.01 update and key regeneration procedures documented in vendor-provided mitigation guidance within the same advisory.
Official resources
-
CVE-2024-6236 CVE record
CVE.org
-
CVE-2024-6236 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-11