A vulnerability classified as critical has been found in Rockwell FactoryTalk EnergyMetrix up to 2.19. Affected is an unknown functionality of the component Logout Handler. The manipulation with an unknown input leads to a improper authorization vulnerability. CWE is classifying the issue as CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not invalidate credentials upon a logout action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

The weakness was presented 07/28/2016 (Website). The advisory is available at ics-cert.us-cert.gov. This vulnerability is traded as CVE-2016-4531 since 05/05/2016. The exploitability is told to be easy. It is possible to launch the attack remotely. The successful exploitation needs a authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1548.002 by the MITRE ATT&CK project.

Upgrading to version 2.20.00 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 92135†). See VDB-90377 for similar entry. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Vendor

• Rockwell

Name

• FactoryTalk EnergyMetrix

Version

• 2.0
• 2.1
• 2.2
• 2.3
• 2.4
• 2.5
• 2.6
• 2.7
• 2.8
• 2.9
• 2.10
• 2.11
• 2.12
• 2.13
• 2.14
• 2.15
• 2.16
• 2.17
• 2.18
• 2.19

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion