A remote code execution vulnerability exists in the affected
product. The vulnerability allows users to save projects within the public
directory allowing anyone with local access to modify and/or delete files. Additionally,
a malicious user could potentially leverage this vulnerability to escalate
their privileges by changing the macro to execute arbitrary code.
Fixes

Solution

Upgrade to Version 15


Workaround

·         To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties. ·         Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station. ·         Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”.  Security Best Practices

History

Tue, 12 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Rockwellautomation
Rockwellautomation factorytalk View Machine Edition
CPEs cpe:2.3:a:rockwellautomation:factorytalk_view_machine_edition:*:*:*:*:*:*:*:*
Vendors & Products Rockwellautomation
Rockwellautomation factorytalk View Machine Edition
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 12 Nov 2024 15:00:00 +0000

Type Values Removed Values Added
Description A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.
Title FactoryTalk View ME Remote Code Execution Vulnerability via Project Save Path
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Rockwell

Published:

Updated: 2024-11-12T19:04:00.897Z

Reserved: 2024-06-06T20:18:27.551Z

Link: CVE-2024-37365

cve-icon Vulnrichment

Updated: 2024-11-12T19:03:55.651Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-12T15:15:08.923

Modified: 2024-11-12T15:48:59.103

Link: CVE-2024-37365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.