Rockwell Automation DataMosaix Private Cloud

Plan Patch8.8ICS-CERT ICSA-24-284-15Oct 10, 2024

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

DataMosaix Private Cloud versions 7.07 and earlier contain insufficient access control vulnerabilities (CWE-862, CWE-863) and information exposure issues (CWE-200) that allow authenticated users to view customer data beyond their assigned scope or create, modify, and delete their own projects. Rockwell Automation has corrected these issues in version 7.09. The vulnerabilities require valid user credentials and network access to the DataMosaix web interface but do not require administrative privileges.

What this means

What could happen

An attacker with valid user credentials could view confidential customer data or modify and delete their own projects within DataMosaix, potentially disrupting analytics workflows and exposing sensitive operational information.

Who's at risk

Organizations using Rockwell Automation DataMosaix Private Cloud for industrial data analytics and monitoring should be concerned. This includes manufacturing facilities, utilities, and process plants that rely on DataMosaix for historical data storage and analytics to support operational decision-making.

How it could be exploited

An attacker with legitimate user credentials gains network access to DataMosaix Private Cloud and logs in through the web interface. Once authenticated, they can exploit insufficient access controls (CWE-862/863) to view data beyond their assigned permissions or modify project configurations they should not have access to.

Prerequisites

Valid user credentials (username and password)
Network access to DataMosaix Private Cloud web interface
DataMosaix version 7.07 or earlier deployed

Requires valid credentials (insider risk)Affects data confidentiality and integrityNo patch available for versions before 7.09Low complexity exploitation once authenticated

Affected products (1)

ProductAffected VersionsFix Status

DataMosaix Private Cloud: <=7.07≤ 7.07v7.09

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict network access to DataMosaix Private Cloud; ensure it is not exposed to the internet and is only reachable from your internal engineering network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade DataMosaix Private Cloud to version 7.09 or later

HARDENINGReview and enforce principle of least privilege for DataMosaix user accounts; remove unnecessary project and data permissions

Long-term hardening

0/2

HARDENINGUse VPN or other secure remote access methods if DataMosaix must be accessed from outside your facility; verify VPN client and appliance are up to date

HARDENINGImplement network segmentation to isolate DataMosaix from your business network and the internet

CVEs (3)

CVE-2024-7952 CVE-2024-7953 CVE-2024-7956

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1b5e82d4-f0cf-4dad-a01b-b29bfec22d39