Rockwell Automation ThinManager ThinServer

Plan Patch7.5ICS-CERT ICSA-23-206-02Jul 25, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability in ThinManager ThinServer versions 13.0.0 through 13.0.2 and 13.1.0 allows a remote attacker to read arbitrary files from the server's file system. The vulnerability exists in the API feature and requires only network access to exploit. No authentication is necessary. The attacker can enumerate and retrieve any file accessible to the ThinServer's service account, including configuration files, database backups, or credential material.

What this means

What could happen

An attacker can read any file on the ThinServer system without credentials, potentially exposing sensitive configuration data, credentials, or process information stored on the device.

Who's at risk

Manufacturing facilities and utilities using Rockwell Automation ThinManager ThinServer for terminal server/application management. Facilities that rely on ThinServer for Windows application delivery to thin client devices or operator workstations in control areas.

How it could be exploited

An attacker with network access to the ThinServer exploits a path traversal or file access vulnerability to read arbitrary files from the server's file system. No authentication is required; the attacker can make direct requests to the affected service to retrieve files.

Prerequisites

Network access to ThinServer (typically port 80/443 for web interface)
ThinServer running firmware version 13.0.0, 13.0.1, 13.0.2, or 13.1.0
API feature enabled on the device

remotely exploitableno authentication requiredlow complexityhigh impact (information disclosure)

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

ThinManager ThinServer: >=13.0.0 | <= 13.0.2 | 13.1.0≥ 13.0.0 | ≤ 13.0.2 | 13.1.013.0.3, 13.1.1 or later

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the API feature on the ThinServer if it is not required for operations

HARDENINGConfigure the ThinServer service account to have minimal required file system permissions only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinServer firmware to version 13.0.3 or 13.1.1 or later

Long-term hardening

0/2

HARDENINGRestrict network access to ThinServer with firewall rules; do not expose to the Internet

HARDENINGIsolate the ThinServer on a separate network segment from business networks and non-control systems

CVEs (1)

CVE-2023-2913

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/119b9a4d-33ac-4abf-8592-064efe131567