CVE-2024-37367 Overview
CVE-2024-37367 is an authentication vulnerability [CWE-287] in Rockwell Automation FactoryTalk View Site Edition (SE) v12. A remote user running FTView can send a crafted packet to the customer server and view a Human-Machine Interface (HMI) project without proper authentication verification. The flaw exposes operational technology (OT) project data to unauthorized network actors with access to the FactoryTalk environment.
Critical Impact
Remote attackers with network access and FTView client capability can retrieve HMI project contents from FactoryTalk View SE servers without valid authentication, exposing industrial process logic and configuration data.
Affected Products
- Rockwell Automation FactoryTalk View SE v12
- Industrial control system (ICS) deployments using FactoryTalk View Site Edition
- HMI environments managed through FTView clients
Discovery Timeline
- 2024-06-14 - CVE-2024-37367 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-37367
Vulnerability Analysis
The vulnerability resides in how FactoryTalk View SE v12 handles inbound project access requests from FTView clients. The server processes a packet requesting HMI project data without first validating that the requester holds a valid authenticated session. The CWE-287 classification (Improper Authentication) reflects that the authentication check is either missing or incorrectly enforced on this code path.
The vulnerability is network-reachable and does not require user interaction. An attacker only needs the ability to send the request packet from a system running FTView to reach the vulnerable server endpoint. Successful exploitation exposes HMI project content, which can include screen layouts, tag references, scripts, and operational logic used to control industrial processes.
Disclosure of HMI project material gives an adversary blueprint-level insight into the targeted industrial environment. This information supports reconnaissance for follow-on attacks against programmable logic controllers (PLCs), supervisory systems, and field devices.
Root Cause
The server-side handler for HMI project view requests lacks proper authentication verification before returning project data. The trust decision is effectively delegated to the calling FTView client rather than enforced server-side.
Attack Vector
Exploitation requires network access to the FactoryTalk View SE server and the FTView client capability to construct the request. The attacker sends the request packet to the server, which responds with HMI project content without challenging the requester for valid credentials.
No verified public proof-of-concept code is available for CVE-2024-37367. Refer to the Rockwell Automation Security Advisory SD1675 for vendor technical details.
Detection Methods for CVE-2024-37367
Indicators of Compromise
- Unexpected FTView client connections originating from hosts outside the engineering workstation subnet
- Unauthenticated or anonymous requests reaching FactoryTalk View SE server processes on HMI project endpoints
- HMI project read operations recorded outside scheduled engineering activity windows
Detection Strategies
- Inspect FactoryTalk View SE server logs for project access requests that do not correlate with an authenticated user session
- Deploy network detection rules to flag FTView protocol traffic crossing trust boundaries between IT and OT segments
- Correlate firewall and switch flow records with the authoritative inventory of approved FTView clients
Monitoring Recommendations
- Enable verbose auditing on FactoryTalk View SE servers to capture all project access attempts, including source IP and account context
- Forward FactoryTalk Diagnostic logs to a central SIEM or data lake for retention and correlation against network telemetry
- Alert on first-seen client hosts initiating HMI project read requests against production FactoryTalk View SE servers
How to Mitigate CVE-2024-37367
Immediate Actions Required
- Apply the security update referenced in Rockwell Automation advisory SD1675 to all FactoryTalk View SE v12 servers
- Restrict network reachability of FactoryTalk View SE servers to authorized engineering workstations only
- Audit existing FTView client installations and remove unauthorized or unused deployments
Patch Information
Rockwell Automation has published guidance and a fix in the Rockwell Automation Security Advisory SD1675. Customers should consult the advisory for the patched version and apply it to all v12 deployments. A Rockwell Automation customer account is required to access the advisory.
Workarounds
- Segment FactoryTalk View SE servers behind an industrial demilitarized zone (IDMZ) and block FTView protocols from general corporate networks
- Enforce host-based firewall rules on the FactoryTalk View SE server to allow inbound connections only from approved engineering workstations
- Require jump host and multi-factor authentication for any administrative access to the OT network hosting FactoryTalk View SE
# Example Windows firewall rule limiting FactoryTalk View SE inbound traffic to approved engineering hosts
New-NetFirewallRule -DisplayName "Restrict FTView SE Inbound" -Direction Inbound -Program "C:\Program Files (x86)\Rockwell Software\RSView Enterprise\FTViewSE.exe" -RemoteAddress 10.10.20.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block Other FTView SE Inbound" -Direction Inbound -Program "C:\Program Files (x86)\Rockwell Software\RSView Enterprise\FTViewSE.exe" -RemoteAddress Any -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
