CVE-2024-7986 Rockwell Automation CVE debrief

Who should care

Organizations operating Rockwell Automation ThinManager ThinServer in industrial environments, particularly those in manufacturing, energy, and critical infrastructure sectors where ThinManager is deployed for centralized thin client management. Security teams responsible for OT/ICS asset protection and patch management should prioritize assessment.

Technical summary

The ThinServer service in Rockwell Automation ThinManager contains an information disclosure vulnerability. A threat actor with local access and low privileges can create a directory junction (symbolic link) that points to a target directory, then abuse the ThinServer service to read arbitrary files from that location. This allows sensitive information disclosure without requiring user interaction. The vulnerability is rated CVSS 3.1 5.5 (MEDIUM) with a confidentiality impact of HIGH. Multiple version branches are affected spanning 11.1.x through 13.2.x, with patches available for all supported branches.

Defensive priority

medium

Recommended defensive actions

• Upgrade ThinManager ThinServer to patched versions: 11.1.8 or later, 11.2.9 or later, 12.0.7 or later, 12.1.8 or later, 13.0.5 or later, 13.1.3 or later, or 13.2.2 or later
• Apply Rockwell Automation security best practices for industrial control systems
• Review and implement CISA ICS recommended practices for defense in depth
• Monitor for unauthorized directory junction creation on ThinServer hosts
• Restrict local access to ThinServer systems to authorized personnel only

Evidence notes

Vulnerability disclosed via CISA ICS Advisory ICSA-24-242-01 on 2024-08-29. CVSS 3.1 score of 5.5 (MEDIUM) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. Affects ThinManager ThinServer versions 11.1.0-11.1.6, 11.2.0-11.2.7, 12.0.0-12.0.5, 12.1.0-12.1.6, 13.0.0-13.0.3, 13.1.0-13.1.1, and 13.2.0.

Official resources