OTPulse
FeedAboutContact

Rockwell Automation Verve Reporting (Update A)

Monitor7.2ICS-CERT ICSA-24-319-13Nov 14, 2024
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

Rockwell Automation Verve Reporting versions earlier than 1.39 contain a high-severity vulnerability (CWE-1395) that allows authenticated users with high-level privileges to execute arbitrary code on the reporting server. The vulnerability affects all deployments of affected Verve Reporting versions. No firmware or software update is currently available from the vendor.

What this means
What could happen
An attacker with high-level user privileges can execute arbitrary code on the Verve Reporting server, potentially gaining control of the system and any connected networks or data it manages.
Who's at risk
Water utilities and electric utilities using Rockwell Automation Verve Reporting (version earlier than 1.39) for SCADA data analysis and reporting. Any organization relying on Verve Reporting for operational visibility or historical data analysis should review their user permission configuration immediately.
How it could be exploited
An attacker must first obtain high-privilege credentials or an admin account on the Verve Reporting system. Once authenticated with sufficient privileges, they can exploit the vulnerability to execute arbitrary code on the server running Verve Reporting.
Prerequisites
  • High-level user or administrator account credentials on Verve Reporting
  • Network access to Verve Reporting interface
  • Rockwell Automation Verve Reporting version earlier than 1.39
remotely exploitablerequires high-level credentialsno patch availablearbitrary code execution capability
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (1)
ProductAffected VersionsFix Status
Verve Reporting: <1.39<1.39No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGRestrict user privileges by assigning only the 'all-all' and 'feature-all-all' roles to non-administrator accounts
WORKAROUNDDisable machine learning in Elasticsearch configuration by setting 'xpack.ml.enabled: false' in the elasticsearch.override.yml file
Mitigations - no patch available
0/1
Verve Reporting: <1.39 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor and audit all high-privilege account activity on Verve Reporting systems
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/5b529d88-4155-4fec-bb47-37873675b6cb
Rockwell Automation Verve Reporting (Update A) | CVSS 7.2 - OTPulse