

North Korean APT Kimsuky aka Black Banshee – Active IOCs
August 15, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
August 16, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
August 15, 2024
North Korean APT Kimsuky aka Black Banshee – Active IOCs
August 16, 2024Severity
High
Analysis Summary
CVE-2024-6079 CVSS:6.7
Rockwell Automation Emulate3D allows a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2024-7515 CVSS:8.6
Multiple Rockwell Automation products are vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted PTP management packet, a remote attacker could exploit this vulnerability to cause a major nonrecoverable fault in the controller.
CVE-2024-7507 CVSS:7.5
Multiple Rockwell Automation products are vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted PCCC message, a remote attacker could exploit this vulnerability to cause a fault in the controller.
CVE-2024-7567 CVSS:5.3
Rockwell Automation Micro850/870 is vulnerable to a denial of service, caused by a flaw in the CIP/Modbus port in Micro850/870. By sending a specially crafted request, a remote attacker could exploit this vulnerability to disrupt the CIP/Modbus communication.
CVE-2024-7513 CVSS:8.8
Rockwell Automation FactoryTalk View Site Edition could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper default file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code with elevated permissions.
CVE-2024-6078 CVSS:9.1
Rockwell Automation DataMosaix Private Cloud could allow a remote attacker to bypass security restrictions, caused by improper authentication validation. By generating cookies for any user ID without the use of a username or password, an attacker could exploit this vulnerability to take over the account of a legitimate user.
CVE-2024-40620 CVSS:7.4
Rockwell Automation Pavilion8 could allow a remote authenticated attacker to obtain sensitive information, caused by the storage of sensitive information in plain-text in the log files. By gaining access to the logs of proxy servers, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Impact
- Denial of Service
- Code Execution
- Security Bypass
- Information Disclosure
Indicators of Compromise
CVE
- CVE-2024-6079
- CVE-2024-7515
- CVE-2024-7507
- CVE-2024-7567
- CVE-2024-7513
- CVE-2024-6078
- CVE-2024-40620
Affected Vendors
Affected Products
- Rockwell Automation Emulate3D - 17.00.00.13276
- Rockwell Automation Compact GuardLogix 5380
- Rockwell Automation CompactLogix 5380
- Rockwell Automation CompactLogix 5480
- Rockwell Automation ControlLogix 5580
- Rockwell Automation GuardLogix 5580
- Rockwell Automation Micro850 22.0
- Rockwell Automation Micro870 22.0
- Rockwell Automation FactoryTalk View Site Edition 13.0
- Rockwell Automation DataMosaix Private Cloud 7.0
- Rockwell Automation Pavilion8 5.20
Remediation
Refer to Rockwell Automation for patch, upgrade or suggested workaround information.