Rockwell Automation FactoryTalk ThinManager

Plan PatchCVSS 9.8ICS-CERT ICSA-24-305-01Oct 31, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FactoryTalk ThinManager contains vulnerabilities (CWE-306 missing authentication, CWE-125 out-of-bounds read) that allow an attacker to send crafted messages to the device resulting in database manipulation or denial-of-service. The vulnerability affects ThinManager versions 11.2.0–11.2.8, 12.0.0–12.0.6, 12.1.0–12.1.7, 13.0.0–13.0.4, 13.1.0–13.1.2, 13.2.0–13.2.1, and 14.0.0. Exploitation requires network access to TCP port 2031 and no valid credentials.

What this means

What could happen

An attacker on the network could send crafted messages to ThinManager to corrupt its database or cause it to stop responding, disrupting visibility and control of connected devices across your facility.

Who's at risk

Water and electric utilities, food and beverage manufacturers, and other industries using Rockwell Automation FactoryTalk ThinManager for device management and industrial visibility. ThinManager is a server that centralizes monitoring and control of remote PLCs, HMIs, and industrial devices across multiple sites.

How it could be exploited

An attacker with network access to TCP port 2031 (ThinManager's default communication port) can send specially crafted messages that exploit missing input validation or authentication checks, triggering database manipulation or a denial-of-service condition without needing valid credentials.

Prerequisites

Network access to TCP port 2031 on the ThinManager device
No authentication required

remotely exploitableno authentication requiredlow complexityaffects industrial visibility and control systems

Exploitability

Some exploitation risk — EPSS score 6.2%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

ThinManager: >=12.0.0|<12.0.7≥ 12.0.0|<12.0.711.2.9

ThinManager: >=12.1.0|<12.1.8≥ 12.1.0|<12.1.811.2.9

ThinManager: >=13.0.0|<13.0.5≥ 13.0.0|<13.0.511.2.9

ThinManager: >=11.2.0|<11.2.9≥ 11.2.0|<11.2.911.2.9

ThinManager: >=13.1.0|<13.1.3≥ 13.1.0|<13.1.311.2.9

ThinManager: >=13.2.0|<13.2.2≥ 13.2.0|<13.2.211.2.9

ThinManager: 14.0.014.0.011.2.9

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to TCP port 2031 to only the devices and workstations that need to communicate with ThinManager

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ThinManager to version 11.2.9 or later

Long-term hardening

0/1

HARDENINGSegment ThinManager onto a separate network behind a firewall, isolated from business networks and not accessible from the internet

CVEs (2)

CVE-2024-10386 CVE-2024-10387

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/16de1b7f-f50d-4bb3-a6f5-7df1052d39a0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.