Full Report
New research from Claroty’s Team82 uncovered critical security vulnerabilities in the Allen-Bradley (Rockwell Automation) PowerMonitor 1000, revealing an... The post Critical Rockwell PowerMonitor 1000 vulnerabilities risk device takeover, raising industrial cybersecurity threat appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Critical Authentication Bypass and Memory Corruption in Rockwell Automation PowerMonitor 1000
## CVE Details
- CVE ID: CVE-2024-12371, CVE-2024-12372, CVE-2024-12373
- CVSS Score: 9.8 (Critical)
- CWE: Multiple (Authentication Bypass, Buffer Overflow)
## Affected Systems
- Products: Allen-Bradley PowerMonitor 1000
- Versions: Prior to firmware revision 4.020
- Configurations: Any device running older firmware. The vulnerabilities primarily affect the web interface and request processing logic.
## Vulnerability Description
Three critical vulnerabilities were discovered in the PowerMonitor 1000, which runs on an RTOS (NET+WORKS based on NET+OS Version 6.0, built on ThreadX kernel). The firmware is analyzed as an unencrypted binary blob.
1. **CVE-2024-12371 (Authentication Bypass):** The web interface fails to properly validate if a request intended for the initial setup page (`firstrunWeb`) is genuinely part of the first-time setup process during normal operation (`normalWeb` mode). An unauthenticated attacker can target the `cgi_first_time` callback, allowing them to bypass authentication and create a new PolicyHolder account with specified credentials, potentially leading to a full device takeover.
2. **CVE-2024-12373 (Data Memory Region Buffer Overflow):** A buffer overflow vulnerability exists in the HTTP request endpoint parsing process. This occurs *before* any authorization checks are performed, allowing unauthenticated remote exploitation.
3. **CVE-2024-12372 (Heap Memory Buffer Overflow):** A classic heap buffer overflow condition due to a lack of input validation within the Authorization header processing. An attacker can send an HTTP request with a URI in the `Authorization` header exceeding 256 bytes, causing heap memory to be overwritten.
## Exploitation
- Status: Not explicitly stated as exploited in the wild; however, PoCs likely exist given the clear technical details and high severity.
- Complexity: Low (For CVE-2024-12371 due to simple HTTP request manipulation; others likely Medium/Low due to lack of ASLR on RTOS).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Potential information disclosure)
- Integrity: High (Ability to modify configurations, enforce administrative changes, or overwrite memory)
- Availability: High (Ability to cause a Denial of Service/device crash)
## Remediation
### Patches
- Vendors recommend updating affected devices to **firmware revision 4.020** or later.
### Workarounds
- Although specific vendor-provided workarounds are not detailed, applying network segmentation and strict ingress filtering on the management interface of the PowerMonitor 1000 is a crucial immediate step to prevent remote access.
## Detection
- **Indicators of Compromise (IoC):**
- Unusually high volume of HTTP requests directed at the device, particularly targeting setup/initialization endpoints.
- Unexpected creation of new PolicyHolder user accounts.
- Anomaly detection in web traffic headers, specifically extremely long URIs contained within HTTP `Authorization` headers (indicative of CVE-2024-12372 exploitation attempts).
- **Detection Methods and Tools:**
- Monitor network traffic logs for unauthorized web interface connection attempts.
- Utilize Industrial Intrusion Detection Systems (IIDS) capable of deep packet inspection on OT networks to flag abnormal HTTP requests directed at control/monitoring devices.
## References
- Vendor Advisory (CISA ICS Advisory ICSA-24-352-03 can be referenced via CISA website)
- Claroty Team82 Research: claroty com/team82/research/attention-high-voltage-exploring-the-attack-surface-of-the-rockwell-automation-powermonitor-1000