{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-6098", "ASSIGNER": "ics-cert@hq.dhs.gov", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "When performing an online tag generation to devices which communicate \nusing the ControlLogix protocol, a machine-in-the-middle, or a device \nthat is not configured correctly, could deliver a response leading to \nunrestricted or unregulated resource allocation. This could cause a \ndenial-of-service condition and crash the Kepware application. By \ndefault, these functions are turned off, yet they remain accessible for \nusers who recognize and require their advantages." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-770 Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "PTC", "product": { "product_data": [ { "product_name": "Kepware ThingWorx Kepware Server", "version": { "version_data": [ { "version_affected": "=", "version_value": "V6" } ] } }, { "product_name": "Kepware KEPServerEX", "version": { "version_data": [ { "version_affected": "=", "version_value": "V6" } ] } } ] } }, { "vendor_name": "Software Toolbox", "product": { "product_data": [ { "product_name": "TOP Server", "version": { "version_data": [ { "version_affected": "=", "version_value": "V6" } ] } } ] } }, { "vendor_name": "GE", "product": { "product_data": [ { "product_name": "IGS", "version": { "version_data": [ { "version_affected": "=", "version_value": "V7.6x" } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-228-11", "refsource": "MISC", "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-228-11" }, { "url": "https://www.ptc.com/en/support/article/CS423892", "refsource": "MISC", "name": "https://www.ptc.com/en/support/article/CS423892" } ] }, "generator": { "engine": "Vulnogram 0.2.0" }, "source": { "advisory": "ICSA-24-228-11", "discovery": "EXTERNAL" }, "work_around": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "PTC recommends users take a defense-in-depth stance with regards to \ntheir manufacturing networks ensuring proper access control is \nmaintained. Additionally, proper adherence to the Kepware Secure Deployment Guide

will minimize this threat through accurate configuration and use of the product.

\n

Please refer to this article (login required)

for specific information on how this risk may be mitigated in your environment.

\n

If additional questions remain, contact PTC Technical Support.

\n\n
" } ], "value": "PTC recommends users take a defense-in-depth stance with regards to \ntheir manufacturing networks ensuring proper access control is \nmaintained. Additionally, proper adherence to the Kepware Secure Deployment Guide https://www.ptc.com/support/-/media/support/refdocs/ThingWorx_Kepware_Server/6,-d-,16/secure_deployment_guide_tks.pdf will minimize this threat through accurate configuration and use of the product.\n\n\nPlease refer to this article (login required) https://www.ptc.com/en/support/article/CS423892 \n\n for specific information on how this risk may be mitigated in your environment.\n\n\nIf additional questions remain, contact PTC Technical Support. https://support.ptc.com/apps/case_logger_viewer/cs/auth/ssl/log" } ], "credits": [ { "lang": "en", "value": "Sharon Brizinov and Vera Mens of Claroty Research - Team82 reported this vulnerability to PTC." } ], "impact": { "cvss": [ { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ] } }