Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-10387

CVE-2024-10387: Rockwell ThinManager DoS Vulnerability

CVE-2024-10387 is a denial-of-service vulnerability in Rockwell Automation ThinManager that allows attackers to send crafted messages causing service disruption. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-10387 Overview

CVE-2024-10387 is a Denial-of-Service (DoS) vulnerability affecting Rockwell Automation ThinManager. A remote, unauthenticated attacker with network access to the device can send crafted messages that disrupt service availability. The flaw is associated with [CWE-125] Out-of-Bounds Read, which can cause the service to crash when processing malformed input.

ThinManager is widely deployed in industrial environments to centrally manage thin clients on operational technology (OT) networks. Loss of availability can interrupt operator visibility into Human-Machine Interfaces (HMIs) and impact production continuity.

Critical Impact

An unauthenticated network attacker can crash Rockwell Automation ThinManager, disrupting management of industrial thin clients and HMI sessions in OT environments.

Affected Products

  • Rockwell Automation ThinManager (multiple versions)
  • Rockwell Automation ThinManager 14.0.0
  • Deployments exposing ThinManager services to untrusted network segments

Discovery Timeline

  • 2024-10-25 - CVE-2024-10387 published to the National Vulnerability Database (NVD)
  • 2024-11-05 - Last updated in NVD database

Technical Details for CVE-2024-10387

Vulnerability Analysis

The vulnerability resides in ThinManager's network message handling logic. When the service parses a crafted message from a remote client, it performs an Out-of-Bounds Read ([CWE-125]) outside the intended buffer boundary. The condition leads to a service crash, producing a Denial-of-Service against the management plane.

Exploitation does not require authentication, user interaction, or elevated privileges. The attack surface is reachable over the network on systems where ThinManager listens for thin-client communications. Although the flaw does not expose confidentiality or integrity impacts, availability of ThinManager-managed sessions is directly affected.

In OT environments, the practical consequence is loss of operator console connectivity. Restarting the service may not be enough if attackers re-issue the malformed traffic, requiring network-layer containment.

Root Cause

The root cause is improper bounds checking when ThinManager processes incoming message fields. The parser reads beyond the allocated buffer based on attacker-controlled length or offset values, triggering an access violation that terminates the process.

Attack Vector

The attack vector is network-based. An attacker with reachability to the ThinManager service port sends a malformed protocol message. No credentials are required. The service crashes, and management of thin clients fails until the process is restored and the offending traffic is blocked. Refer to the Rockwell Automation Security Advisory SD1708 for protocol-level details.

Detection Methods for CVE-2024-10387

Indicators of Compromise

  • Unexpected termination or repeated restarts of the ThinManager service process on the management server.
  • Sudden loss of connectivity for managed thin clients and ThinServer agents.
  • Anomalous inbound traffic to ThinManager listening ports from non-allowlisted hosts.
  • Windows Event Log application crash entries referencing ThinManager modules.

Detection Strategies

  • Monitor process lifecycle of ThinManager services and alert on unexpected exits or watchdog restarts.
  • Inspect network traffic to ThinManager ports for malformed or oversized protocol fields using deep packet inspection.
  • Correlate thin-client disconnect bursts with inbound network events from a single source.

Monitoring Recommendations

  • Enable verbose logging on the ThinManager server and forward logs to a centralized SIEM.
  • Baseline normal ThinManager traffic volumes and source IPs, then alert on deviations.
  • Track service uptime metrics and trigger investigations on repeated unexpected restarts within short windows.

How to Mitigate CVE-2024-10387

Immediate Actions Required

  • Apply the fixed ThinManager versions published by Rockwell Automation as referenced in Advisory SD1708.
  • Restrict network access to the ThinManager server so only authorized thin clients and engineering workstations can connect.
  • Place ThinManager servers behind an OT-aware firewall and block inbound access from enterprise or untrusted networks.
  • Inventory all ThinManager installations, including version 14.0.0, and prioritize patching exposed instances.

Patch Information

Rockwell Automation has released fixed builds for affected ThinManager versions. Consult Rockwell Automation Security Advisory SD1708 for the current list of patched releases and upgrade paths. Apply vendor patches within scheduled OT maintenance windows and verify functionality after deployment.

Workarounds

  • Segment ThinManager onto a dedicated VLAN and apply strict ACLs limiting source IPs to known thin clients.
  • Deploy host-based firewalls on the ThinManager server to permit only required inbound ports.
  • Use a jump host or VPN with multi-factor authentication for any remote administrative access to ThinManager.
  • Disable or block external exposure of ThinManager management ports at the perimeter.
bash
# Configuration example: restrict ThinManager inbound access on Windows host firewall
# Replace 10.10.20.0/24 with your authorized thin-client subnet
netsh advfirewall firewall add rule name="ThinManager-Allow-ThinClients" \
  dir=in action=allow protocol=TCP localport=2031 remoteip=10.10.20.0/24
netsh advfirewall firewall add rule name="ThinManager-Block-Default" \
  dir=in action=block protocol=TCP localport=2031

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.