Rockwell Automation ThinManager ThinServer

Act Now9.8ICS-CERT ICSA-24-193-18Jul 11, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ThinManager ThinServer versions 11.1.0 through 13.2.0 contain an input validation vulnerability (CWE-20) in the communication protocol on TCP port 2031. Successful exploitation allows an attacker to execute arbitrary code with the privileges of the ThinServer process or cause denial-of-service by crashing the service. Rockwell Automation has released patched versions: 11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, and 13.2.2. No public exploitation has been reported at this time.

What this means

What could happen

An attacker could execute arbitrary code on the ThinManager ThinServer or disrupt communication with thin client terminals, causing loss of visibility and control over connected plant floor devices or HMI systems.

Who's at risk

Water utilities, electric utilities, and manufacturing plants that rely on ThinManager ThinServer to connect thin client terminals (touch panels, operator stations) to their control systems. Especially critical if ThinServer is the central point for operator interaction with PLCs, RTUs, or other field devices.

How it could be exploited

An attacker on the network (or internet, if port 2031 is exposed) sends a malformed input to TCP port 2031 on the ThinServer. The server processes this input without proper validation, allowing the attacker to execute commands with the privileges of the ThinServer process or crash the service, disconnecting all thin clients.

Prerequisites

Network access to TCP port 2031 on the ThinManager ThinServer
No authentication required

remotely exploitableno authentication requiredlow complexityaffects visibility and control systemsno patch available for older versions (11.1.0–13.2.0 except noted patch versions)

Exploitability

Moderate exploit probability (EPSS 8.1%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

ThinManager ThinServer: 11.1.0|11.2.0|12.0.0|12.1.0|13.0.0|13.1.0|13.2.011.1.0|11.2.0|12.0.0|12.1.0|13.0.0|13.1.0|13.2.0No fix yet

ThinManager ThinServer: 11.1.0|11.2.0|12.0.0|12.1.0|13.0.0|13.1.011.1.0|11.2.0|12.0.0|12.1.0|13.0.0|13.1.0No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict remote access to TCP port 2031 to only known thin client IP addresses and authorized ThinManager servers using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager ThinServer to corrected version: 11.1.8, 11.2.9, 12.0.7, 12.1.8, 13.0.5, 13.1.3, or 13.2.2

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate ThinManager ThinServer from internet-facing networks and business networks

HARDENINGIf remote access to ThinManager is required, route it through a VPN or secure remote access gateway and ensure the gateway is kept current with security patches

CVEs (3)

CVE-2024-5988 CVE-2024-5989 CVE-2024-5990

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cbe8b342-bc4d-41ac-8e47-7a06e7bd0f69