CVE-2023-2637

EPSS 0.01%
Published 13.06.2023 21:15:09
Last modified 21.11.2024 07:58:58
Source PSIRT@rockwellautomation.com
Teams watchlist Login
Open Login

Rockwell Automation's FactoryTalk System Services uses a hard-coded cryptographic key to generate administrator cookies.  Hard-coded cryptographic key may lead to privilege escalation.  This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

Affected products Warnungen 0 Metrics 3 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Rockwellautomation ≫ Factorytalk Policy Manager Version6.11.0

Rockwellautomation ≫ Factorytalk System Services Version6.11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.01%	0.002

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.2	1.5	6	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
PSIRT@rockwellautomation.com	7.3	1.5	5.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1139683

Vendor Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-2637

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-2637

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-2637

EUVD