OTPulse
FeedAboutContact

Rockwell Automation ThinManager ThinServer

Act Now8.1ICS-CERT ICSA-22-270-03Sep 27, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

ThinManager ThinServer contains a buffer overflow vulnerability in its handling of network packets on TFTP and HTTPS ports. Successful exploitation could cause the service to crash or allow remote code execution. The vulnerability affects versions 11.0.0 through 13.0.0. Attack complexity is high, meaning the attacker must craft a specific malformed packet, but no public exploit currently exists.

What this means
What could happen
A buffer overflow in ThinManager ThinServer could allow an attacker to crash the service or execute code remotely, potentially compromising the ability to manage and monitor thin client devices across your network.
Who's at risk
Organizations using Rockwell Automation ThinManager ThinServer to manage thin client endpoints should care. This affects control system administrators and IT staff responsible for maintaining thin client device fleets in manufacturing, utilities, and other industrial environments. Affected versions include 11.0.0 through 13.0.0.
How it could be exploited
An attacker with network access to the ThinManager TFTP or HTTPS ports sends a specially crafted packet that triggers a buffer overflow condition in ThinServer. Exploitation requires careful crafting of the payload (high complexity), but successful exploitation could lead to remote code execution on the ThinServer host.
Prerequisites
  • Network access to ThinManager TFTP port (69) or HTTPS port (443)
  • No authentication required
  • Attacker must craft a specific malformed packet (not trivial)
remotely exploitableno authentication requiredhigh EPSS score (11.2%)network-facing service (TFTP/HTTPS)buffer overflow conditionhigh attack complexity (limits risk but does not eliminate it)
Exploitability
High exploit probability (EPSS 11.2%)
Affected products (1)
ProductAffected VersionsFix Status
ThinManager ThinServer:13.0.0; ≥ 12.1.0 | ≤ 12.1.3; ≥ 11.2.0 | ≤ 11.2.5 and 3 moreNo fix yet
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDBlock network access to ThinManager TFTP (port 69) and HTTPS (port 443) from all endpoints except authorized thin client devices using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager ThinServer to patched version: v11.00.05 (from 11.0.0–11.0.4), v11.01.05 (from 11.1.0–11.1.4), v11.02.06 (from 11.2.0–11.2.5), v12.00.03 (from 12.0.0–12.0.2), v12.01.04 (from 12.1.0–12.1.3), or v13.00.01 (from 13.0.0)
Long-term hardening
0/2
HARDENINGIsolate ThinManager network from business network and ensure it is not reachable from the Internet
HARDENINGReview Rockwell Automation Security Best Practices (Knowledgebase article QA43240)
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/07dae2e6-0fcf-437b-94ad-874a50fcf5b7
Rockwell Automation ThinManager ThinServer | CVSS 8.1 - OTPulse