Rockwell Automation Verve Reporting (Update A)

MonitorCVSS 7.2ICS-CERT ICSA-24-319-13Nov 14, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Verve Reporting versions prior to 1.39 contain a vulnerability that allows an attacker with high-privilege administrative credentials to execute arbitrary code on the Reporting server. The vulnerability is present in the application's handling of administrative operations. Successful exploitation could lead to code execution and compromise of the reporting system, potentially affecting operational visibility and data integrity. No patch is planned by the vendor.

What this means

What could happen

An attacker with high-level administrative privileges could execute arbitrary code on the Verve Reporting server, potentially allowing them to manipulate reports, exfiltrate data, or disrupt reporting operations that management and operations rely on for decision-making.

Who's at risk

Organizations using Verve Reporting for industrial operations reporting and analytics should implement these controls. This affects facility managers, operations centers, and anyone using Verve Reporting to monitor industrial processes and generate operational reports.

How it could be exploited

An attacker with administrative or high-privilege account credentials could exploit this vulnerability through the Verve Reporting application to execute arbitrary code on the server. This requires valid high-privilege credentials and direct access to the Verve Reporting interface.

Prerequisites

Valid high-privilege administrative account credentials for Verve Reporting
Network access to the Verve Reporting application interface
Ability to authenticate to Verve Reporting with privileged account

High-privilege requirement for exploitationNo vendor patch availableRemotely exploitable via authenticated network access

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (1)

ProductAffected VersionsFix Status

Verve Reporting: <1.39<1.39No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict user privileges by assigning non-administrative users only the 'all-all' and 'feature-all-all' roles instead of full administrative access

WORKAROUNDDisable the machine learning feature in Elasticsearch by setting 'xpack.ml.enabled: false' in the Elasticsearch configuration override

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and audit Verve Reporting administrative account usage and access logs for suspicious activity

CVEs (1)

CVE-2024-37287

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b529d88-4155-4fec-bb47-37873675b6cb

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.