CVE-2024-45823 Overview
CVE-2024-45823 is an authentication bypass vulnerability in Rockwell Automation FactoryTalk Batch View version 2.01.00. The flaw stems from shared secrets reused across user accounts, allowing a threat actor to impersonate a legitimate user. Successful exploitation requires the attacker to enumerate additional information used during authentication. The vulnerability is tracked under [CWE-287: Improper Authentication]. Rockwell Automation published the issue in security advisory SD 1698, and the CVE was disclosed publicly on September 12, 2024.
Critical Impact
An unauthenticated network-based attacker can impersonate users of FactoryTalk Batch View, gaining access to industrial batch process management functions that control manufacturing operations.
Affected Products
- Rockwell Automation FactoryTalk Batch View 2.01.00
- Deployments using the affected version in industrial control system environments
- Operational technology (OT) networks exposing FactoryTalk Batch View services
Discovery Timeline
- 2024-09-12 - CVE-2024-45823 published to NVD
- 2024-10-02 - Last updated in NVD database
Technical Details for CVE-2024-45823
Vulnerability Analysis
The vulnerability resides in the authentication mechanism of FactoryTalk Batch View. The product relies on secrets that are not unique per user. Because these secrets are shared across accounts, the cryptographic boundary separating one identity from another collapses under specific conditions.
An attacker who knows or can enumerate the supporting authentication parameters can present credentials that the application accepts as belonging to another user. The result is identity impersonation against the batch management interface, which controls recipe execution and process state in industrial environments.
The attack vector is network-based and requires no privileges or user interaction. Attack complexity is high because the threat actor must first obtain the additional information used during the authentication exchange. Confidentiality, integrity, and availability impacts are all rated high.
Root Cause
The root cause is the use of shared authentication secrets across distinct accounts. Per [CWE-287], the authentication design fails to bind credentials uniquely to a single identity. Any user-specific verification relies on supplementary data that, once enumerated, allows the attacker to complete authentication as another principal.
Attack Vector
Exploitation is performed remotely against the FactoryTalk Batch View service. The attacker enumerates additional account-identifying data, then submits an authentication request using the shared secret combined with the enumerated information. The application validates the request and grants a session bound to the impersonated user. No code execution primitives are required to abuse the flaw.
No verified proof-of-concept code is publicly available. Refer to the Rockwell Automation Security Advisory SD 1698 for vendor-provided technical details.
Detection Methods for CVE-2024-45823
Indicators of Compromise
- Successful authentication events for FactoryTalk Batch View users from unexpected source IP addresses or geographies
- Multiple failed authentication attempts followed by a successful login, indicating credential enumeration
- Concurrent active sessions for the same user account originating from different network segments
- Batch recipe or process state changes executed by accounts during atypical operational hours
Detection Strategies
- Correlate authentication logs from FactoryTalk Batch View against expected operator schedules and source workstations
- Baseline normal authentication traffic to the Batch View service and alert on deviations in request volume or origin
- Inspect network traffic for repeated authentication attempts that vary user identifiers while reusing static parameters
- Monitor process control changes for unauthorized recipe modifications or batch initiations
Monitoring Recommendations
- Centralize FactoryTalk and Windows authentication events in a SIEM with OT-aware parsing
- Enable verbose logging on the Batch View server to capture authentication request metadata
- Deploy network intrusion detection on OT segments that host the Batch View service
- Review service account activity weekly and validate against authorized change tickets
How to Mitigate CVE-2024-45823
Immediate Actions Required
- Apply the vendor-provided update for FactoryTalk Batch View as referenced in Rockwell Automation advisory SD 1698
- Restrict network access to the Batch View service to authorized engineering workstations only
- Audit all FactoryTalk Batch View accounts and rotate credentials that may have been exposed
- Isolate affected systems on segmented OT networks behind firewalls per ISA/IEC 62443 zone and conduit guidance
Patch Information
Rockwell Automation has published remediation guidance in Security Advisory SD 1698. Customers running FactoryTalk Batch View 2.01.00 should consult the advisory for the corrected version and upgrade procedures. Patch deployment in OT environments should follow validated change-control processes.
Workarounds
- Block external network access to FactoryTalk Batch View interfaces using firewall ACLs
- Place the Batch View server behind a jump host requiring multi-factor authentication
- Disable or remove unused FactoryTalk Batch View accounts to reduce the enumeration surface
- Enforce strict source-IP allowlisting for all authentication requests to the service
# Example firewall rule restricting access to FactoryTalk Batch View
# Replace <BATCH_VIEW_IP> and <ENG_WORKSTATION_SUBNET> with environment values
iptables -A INPUT -p tcp -d <BATCH_VIEW_IP> --dport 443 \
-s <ENG_WORKSTATION_SUBNET> -j ACCEPT
iptables -A INPUT -p tcp -d <BATCH_VIEW_IP> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
