Rockwell Automation Pavilion8

Plan Patch8.8ICS-CERT ICSA-23-257-07Sep 14, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A session data retrieval vulnerability exists in Pavilion8 versions 5.17.00 and 5.17.01 in the jmx-console component. An authenticated attacker could retrieve and reuse other users' session tokens, potentially gaining unauthorized access to control system operations.

What this means

What could happen

An attacker with valid credentials could access other users' session data in Pavilion8, potentially allowing them to impersonate operators and issue commands to control systems or access sensitive configuration information.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities using Pavilion8 versions 5.17.00 or 5.17.01 for SCADA operations and process control. Particularly relevant for organizations where operators access the Pavilion8 console remotely or from shared engineering networks.

How it could be exploited

An attacker with valid engineering credentials accesses the Pavilion8 web console and exploits a session handling vulnerability in the jmx-console component to retrieve and reuse other authenticated users' session tokens, gaining their privileges.

Prerequisites

Valid Pavilion8 operator or engineer credentials
Network access to Pavilion8 web console (port 80/443)
Pavilion8 version 5.17.00 or 5.17.01

Requires valid credentials (not unauthenticated)Remotely exploitable over networkLow attack complexityCould allow impersonation of control system operatorsAffects operator access and command execution

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Pavilion8: 5.17.00 | 5.17.015.17.00 | 5.17.015.20

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf immediate update is not possible, disable the jmx-console component by removing jmx-console-action-handler servlet entries from the web.xml file, then restart Pavilion8 Console Service

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Pavilion8 to version 5.20 or later

Long-term hardening

0/2

HARDENINGRestrict network access to Pavilion8 web console to authorized engineering workstations only using firewall rules

HARDENINGIsolate Pavilion8 console from the business network and internet

CVEs (1)

CVE-2023-29463

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6359a23e-2498-4d4c-aeca-1636195a6cc1