Rockwell Automation ThinManager ThinServer Multiple Vulnerabilities

CVE-2024-5988 - Message Type 20 Unauthenticated Remote Code Execution (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated remote attacker can send a specifically crafted synchronization message of type 20 to execute a Tcl command, which can invoke a local or remote executable under the security context of SYSTEM.

CVE-2024-5989 - Message Type 11 Unauthenticated Database Manipulation (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated remote attacker can send a specifically crafted synchronization message of type 11 to issue SQL statements to the ThinManager database. For example, the attacker can enable HTTP API and add an API key to the ApiKeys table in the database so that he or she can access protected API URL endpoints.

CVE-2024-5990 - Incomplete fix for CVE-2023-2914

ThinServer.exe v13.1.1.9 addressed the issue by preventing a bad size in many caller functions from being passed to the vulnerable "GetDataFromMsgBody" function. This mitigation, however, is missing in some caller functions. An unauthenticated remote attacker can still exploit the vulnerability by sending crafted messages to a monitor thread within ThinServer.exe.

Note: Certain information regarding proof-of-concepts in this advisory has been redacted at the request of the vendor. Despite this, Tenable maintains a stance in favor of open access to exploit details and vulnerability-related information, as we believe transparent and open discussion in these matters contribute significantly to enhancing the security of our customers and the community at large.