{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7847", "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0", "state": "PUBLISHED", "assignerShortName": "Rockwell", "dateReserved": "2024-08-15T15:51:22.233Z", "datePublished": "2024-10-14T13:47:14.540Z", "dateUpdated": "2024-10-15T14:05:45.670Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "RSLogix 500\u00ae", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "RSLogix\u2122 Micro Developer and Starter", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}, {"defaultStatus": "unaffected", "product": "RSLogix\u2122 5", "vendor": "Rockwell Automation", "versions": [{"status": "affected", "version": "All"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Sharon Brizinov of Claroty Research - Team82"}], "datePublic": "2024-09-19T13:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><b>VULNERABILITY DETAILS</b></p><p>Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. </p><p>A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.</p>"}], "value": "VULNERABILITY DETAILS\n\nRockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. \n\nA feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability."}], "impacts": [{"capecId": "CAPEC-19", "descriptions": [{"lang": "en", "value": "CAPEC-19 Embedding Scripts within Scripts"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 8.8, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b73dd486-f505-4403-b634-40b078b177f0", "shortName": "Rockwell", "dateUpdated": "2024-10-14T13:47:14.540Z"}, "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1701.html"}], "source": {"discovery": "EXTERNAL"}, "title": "RSLogix\u2122 5 and RSLogix 500\u00ae Remote Code Execution Via VBA Embedded Script", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p><b>Mitigations and Workarounds </b></p><p>Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible. </p><p>\u00b7 &nbsp; &nbsp; &nbsp; Deny the execution feature in FactoryTalk\u00ae Administration Console, when not needed, by navigating to \u201cPolicies\u201d, selecting \u2018\u201dEnable/Disable VBA\u201d, and then checking the \u201cDeny\u201d box to block VBA code execution.</p><p>\u00b7 &nbsp; &nbsp; &nbsp; Save project files in a Trusted\u00ae location where only administrators can modify it and verify file integrity.</p><p>\u00b7 &nbsp; &nbsp; &nbsp; Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.</p>"}], "value": "Mitigations and Workarounds \n\nUsers using the affected software are encouraged to apply the following mitigations and security best practices, where possible. \n\n\u00b7 \u00a0 \u00a0 \u00a0 Deny the execution feature in FactoryTalk\u00ae Administration Console, when not needed, by navigating to \u201cPolicies\u201d, selecting \u2018\u201dEnable/Disable VBA\u201d, and then checking the \u201cDeny\u201d box to block VBA code execution.\n\n\u00b7 \u00a0 \u00a0 \u00a0 Save project files in a Trusted\u00ae location where only administrators can modify it and verify file integrity.\n\n\u00b7 \u00a0 \u00a0 \u00a0 Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "rockwellautomation", "product": "rslogix_500", "cpes": ["cpe:2.3:a:rockwellautomation:rslogix_500:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}, {"vendor": "rockwellautomation", "product": "rslogix_micro_developer", "cpes": ["cpe:2.3:a:rockwellautomation:rslogix_micro_developer:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}, {"vendor": "rockwellautomation", "product": "rslogix_micro_starter", "cpes": ["cpe:2.3:a:rockwellautomation:rslogix_micro_starter:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}, {"vendor": "rockwellautomation", "product": "rslogix_5", "cpes": ["cpe:2.3:a:rockwellautomation:rslogix_5:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "*", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-14T15:18:18.670939Z", "id": "CVE-2024-7847", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T14:05:45.670Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "RSLogix\u2122 5 and RSLogix 500\u00ae Remote Code Execution Via VBA Embedded Script", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Sharon Brizinov of Claroty Research - Team82"}], "impacts": [{"capecId": "CAPEC-19", "descriptions": [{"lang": "en", "value": "CAPEC-19 Embedding Scripts within Scripts"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Rockwell Automation", "product": "RSLogix 500\u00ae", "versions": [{"status": "affected", "version": "All"}], "defaultStatus": "unaffected"}, {"vendor": "Rockwell Automation", "product": "RSLogix\u2122 Micro Developer and Starter", "versions": [{"status": "affected", "version": "All"}], "defaultStatus": "unaffected"}, {"vendor": "Rockwell Automation", "product": "RSLogix\u2122 5", "versions": [{"status": "affected", "version": "All"}], "defaultStatus": "unaffected"}], "datePublic": "2024-09-19T13:00:00.000Z", "references": [{"url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1701.html"}], "workarounds": [{"lang": "en", "value": "Mitigations and Workarounds \n\nUsers using the affected software are encouraged to apply the following mitigations and security best practices, where possible. \n\n\u00b7 \u00a0 \u00a0 \u00a0 Deny the execution feature in FactoryTalk\u00ae Administration Console, when not needed, by navigating to \u201cPolicies\u201d, selecting \u2018\u201dEnable/Disable VBA\u201d, and then checking the \u201cDeny\u201d box to block VBA code execution.\n\n\u00b7 \u00a0 \u00a0 \u00a0 Save project files in a Trusted\u00ae location where only administrators can modify it and verify file integrity.\n\n\u00b7 \u00a0 \u00a0 \u00a0 Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.", "supportingMedia": [{"type": "text/html", "value": "<p><b>Mitigations and Workarounds </b></p><p>Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible. </p><p>\u00b7 &nbsp; &nbsp; &nbsp; Deny the execution feature in FactoryTalk\u00ae Administration Console, when not needed, by navigating to \u201cPolicies\u201d, selecting \u2018\u201dEnable/Disable VBA\u201d, and then checking the \u201cDeny\u201d box to block VBA code execution.</p><p>\u00b7 &nbsp; &nbsp; &nbsp; Save project files in a Trusted\u00ae location where only administrators can modify it and verify file integrity.</p><p>\u00b7 &nbsp; &nbsp; &nbsp; Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.</p>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "VULNERABILITY DETAILS\n\nRockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. \n\nA feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<p><b>VULNERABILITY DETAILS</b></p><p>Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. </p><p>A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "b73dd486-f505-4403-b634-40b078b177f0", "shortName": "Rockwell", "dateUpdated": "2024-10-14T13:47:14.540Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7847", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-14T15:18:18.670939Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:rockwellautomation:rslogix_500:*:*:*:*:*:*:*:*"], "vendor": "rockwellautomation", "product": "rslogix_500", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:rockwellautomation:rslogix_micro_developer:*:*:*:*:*:*:*:*"], "vendor": "rockwellautomation", "product": "rslogix_micro_developer", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:rockwellautomation:rslogix_micro_starter:*:*:*:*:*:*:*:*"], "vendor": "rockwellautomation", "product": "rslogix_micro_starter", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:rockwellautomation:rslogix_5:*:*:*:*:*:*:*:*"], "vendor": "rockwellautomation", "product": "rslogix_5", "versions": [{"status": "affected", "version": "0", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2024-10-15T14:05:31.508Z"}}]}, "cveMetadata": {"cveId": "CVE-2024-7847", "state": "PUBLISHED", "dateUpdated": "2024-10-14T13:47:14.540Z", "dateReserved": "2024-08-15T15:51:22.233Z", "assignerOrgId": "b73dd486-f505-4403-b634-40b078b177f0", "datePublished": "2024-10-14T13:47:14.540Z", "assignerShortName": "Rockwell"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "VULNERABILITY DETAILS\n\nRockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. \n\nA feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability."}, {"lang": "es", "value": "DETALLES DE LA VULNERABILIDAD Rockwell Automation utiliz\u00f3 las \u00faltimas versiones del sistema de puntuaci\u00f3n CVSS para evaluar las siguientes vulnerabilidades. Sharon Brizinov de Claroty Research - Team82 nos inform\u00f3 sobre las siguientes vulnerabilidades. Una caracter\u00edstica de los productos afectados permite a los usuarios preparar un archivo de proyecto con un script VBA integrado y se puede configurar para que se ejecute una vez que se haya abierto el archivo de proyecto sin intervenci\u00f3n del usuario. Esta caracter\u00edstica se puede utilizar de forma abusiva para enga\u00f1ar a un usuario leg\u00edtimo para que ejecute c\u00f3digo malicioso al abrir un archivo de proyecto RSP/RSS infectado. Si se explota, un actor de amenazas puede realizar una ejecuci\u00f3n remota de c\u00f3digo. Los dispositivos conectados tambi\u00e9n pueden verse afectados por la explotaci\u00f3n de esta vulnerabilidad."}], "id": "CVE-2024-7847", "lastModified": "2024-10-15T12:57:46.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 6.0, "source": "PSIRT@rockwellautomation.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "PSIRT@rockwellautomation.com", "type": "Secondary"}]}, "published": "2024-10-14T14:15:12.020", "references": [{"source": "PSIRT@rockwellautomation.com", "url": "https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1701.html"}], "sourceIdentifier": "PSIRT@rockwellautomation.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "PSIRT@rockwellautomation.com", "type": "Secondary"}]}

{}