Rockwell Automation in the past week published three new security advisories that inform customers about a total of 10 vulnerabilities discovered recently in its FactoryTalk, PowerFlex and Arena Simulation products.
The US cybersecurity agency CISA has also released advisories to inform organizations about the vulnerabilities found in the industrial automation giant’s products.
One of the advisories describes six flaws found and patched in the Arena Simulation software. The list includes five high-severity arbitrary code execution vulnerabilities and one medium-severity information disclosure and denial-of-service (DoS) issue.
Exploitation of each vulnerability requires convincing the targeted user to open a malicious file.
Rockwell Automation has credited researcher Michael Heinzl for reporting these vulnerabilities. Heinzl is often credited by vendors for reporting potentially serious vulnerabilities whose exploitation involves opening specially crafted files.
In the case of the Arena Simulation software vulnerabilities, Heinzl on Tuesday published his own advisories on his personal website. The researcher’s advisories reveal that exploitation involves specially crafted DOE files and that the findings were reported to the vendor through CISA in late November 2023.
The second Rockwell Automation advisory published in recent days covers three high-severity PowerFlex product vulnerabilities that can be exploited for DoS attacks. The vendor has yet to release any patches for these flaws, and advises customers to apply mitigations and security best practices to prevent exploitation.
The third advisory describes one medium-severity security issue discovered by Rockwell during internal testing in the FactoryTalk View ME product. Software updates have been released to patch the vulnerability.
“A vulnerability exists in the affected product that allows a malicious user to restart the PanelView Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView product,” the company explained.
Rockwell Automation recently announced that Stephen Ford has joined the company as vice president and chief information security officer (CISO).
Related: Rockwell Automation Warns Customers of Cisco Zero-Day Affecting Stratix Switches
Related: Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks
Related: APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure