Loading

FactoryTalk® Remote Access™ Has Unquoted Executables

Severity:
High
Advisory ID:
SD1671
发布日期:
May 07, 2024
上次更新时间:
December 04, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Corrected:
Workaround:
CVE IDs
CVE-2024-3640
下载
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
摘要
FactoryTalk® Remote Access™ Has Unquoted Executables

Published Date: May 14, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 7.0

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® Remote Access™ (FTRA)

 

 

 

 

v13.5.0.174

 

 

 

 

V13.6  

 

 

 

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-3640 IMPACT

An unquoted executable path exists in the affected products. This could result in remote code execution if exploited. When running the FTRA installer package, the executable path is not properly quoted. This could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this. 

 

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-428: Unquoted Search Path or Element

 

CVSS Base Score v4.0: 7.0/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Known Exploited Vulnerability (KEV) database:  No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

 

Mitigations and Workarounds 

Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices. 

 

 ADDITIONAL RESOURCES

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.     

 

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Unquoted Executable Path: a vulnerability that occurs when a service is created with an executable path containing spaces and isn’t enclosed within quotes 

Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product 

Copyright ©2022 Rockwell Automation, Inc.