Rockwell Automation is working on mitigations to fix cross-site scripting and authentication bypass vulnerabilities in its Allen-Bradley PowerMonitor 1000, according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities could allow a remote attacker to affect the confidentiality, integrity, and availability of the device. Public exploits are available. On top of that, an attacker with low skill level could leverage the vulnerabilities.
A monitoring platform, all versions of PowerMonitor 1000 suffer from the issues, discovered by Luca Chiou of ACSI.
In one vulnerability, a remote attacker could inject arbitrary code into a targeted user’s web browser to gain access to the affected device.
CVE-2019-19615 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.
In addition, a remote attacker may be able to use a proxy to enable functionality typically available to those with administrative rights for the web application, allowing the attacker to bypass authentication. Once bypassed, the attacker could disrupt user settings and device configuration.
CVE-2019-19616 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees use mainly in the energy sector. It also sees action on a global basis.
Rockwell Automation is currently working on mitigations and reports CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.
For more information, Rockwell Automation released a security notification (login required).