CVE-2024-12371 Overview
A critical device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows an unauthenticated attacker to configure a new Policyholder user without any authentication via the device's API. The Policyholder user is the most privileged user account that can perform edit operations, create admin users, and execute factory resets—effectively granting complete control over the affected device.
Critical Impact
Unauthenticated remote attackers can gain full administrative control of Power Monitor 1000 devices, enabling configuration manipulation, admin user creation, and factory reset execution.
Affected Products
- Rockwell Automation Power Monitor 1000
Discovery Timeline
- 2024-12-18 - CVE-2024-12371 published to NVD
- 2024-12-18 - Last updated in NVD database
Technical Details for CVE-2024-12371
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The Power Monitor 1000 device exposes an API endpoint that handles Policyholder user configuration without requiring any form of authentication. This design flaw allows any network-accessible attacker to interact with the device's management interface and create highly privileged user accounts.
The Policyholder role represents the highest privilege level within the Power Monitor 1000's access control hierarchy. Once an attacker creates a Policyholder account, they gain the ability to modify device configurations, create additional administrative users for persistent access, and even perform factory resets that could disrupt industrial monitoring operations.
Root Cause
The root cause of this vulnerability is the absence of authentication controls on the API endpoint responsible for Policyholder user provisioning. Critical user management functions are exposed without verifying the identity or authorization of the requesting party, violating fundamental secure design principles for industrial control systems.
Attack Vector
The attack vector is network-based, requiring no user interaction and no prior authentication. An attacker with network access to the Power Monitor 1000 device can send crafted API requests to the vulnerable endpoint. The attack flow involves:
- Identifying an exposed Power Monitor 1000 device on the network
- Sending an unauthenticated API request to configure a new Policyholder user
- Using the newly created privileged account to gain full administrative control
- Performing malicious actions such as creating backdoor accounts, modifying configurations, or executing factory resets
The vulnerability is exploited via the device's API interface. By sending properly formatted requests to the Policyholder user configuration endpoint, an attacker can establish a privileged account without any credential requirements. For detailed technical information, refer to the Rockwell Automation Security Advisory.
Detection Methods for CVE-2024-12371
Indicators of Compromise
- Unexpected Policyholder or administrative user accounts appearing on Power Monitor 1000 devices
- Unauthorized API requests to user management endpoints in device logs
- Configuration changes to Power Monitor 1000 devices without corresponding authorized change tickets
- Factory reset events occurring without maintenance windows
Detection Strategies
- Monitor network traffic to Power Monitor 1000 devices for unauthenticated API requests targeting user management functions
- Implement network segmentation monitoring to detect unauthorized access attempts to industrial control system networks
- Deploy intrusion detection signatures for API calls to Policyholder configuration endpoints
- Conduct periodic audits of user accounts on Power Monitor 1000 devices to identify unauthorized additions
Monitoring Recommendations
- Establish baseline network communication patterns for Power Monitor 1000 devices and alert on anomalies
- Implement logging and alerting for all user account creation events on affected devices
- Monitor for unexpected configuration changes or factory reset commands
- Deploy network monitoring solutions capable of inspecting industrial control system protocols
How to Mitigate CVE-2024-12371
Immediate Actions Required
- Isolate Power Monitor 1000 devices from untrusted networks immediately
- Implement network segmentation to restrict access to industrial control systems
- Audit existing user accounts on all Power Monitor 1000 devices for unauthorized Policyholder or admin accounts
- Apply vendor-provided patches or firmware updates as soon as they become available
Patch Information
Rockwell Automation has released a security advisory addressing this vulnerability. Administrators should consult the Rockwell Automation Security Advisory SD1714 for detailed patch information, affected firmware versions, and remediation guidance.
Workarounds
- Place Power Monitor 1000 devices behind firewalls with strict access control rules limiting connectivity to authorized management systems only
- Implement network access controls (ACLs) to restrict API access to trusted IP addresses
- Use VPN connections for remote access to industrial control system networks
- Regularly review and remove unauthorized user accounts from affected devices
# Network segmentation example - restrict access to ICS devices
# Configure firewall rules to limit access to Power Monitor 1000 devices
# Allow only authorized management stations (example IP: 10.10.10.100)
iptables -A INPUT -p tcp -s 10.10.10.100 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 10.10.10.100 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
