CVE-2024-6098

Summary

When performing an online tag generation to devices which communicate using the ControlLogix protocol, a machine-in-the-middle, or a device that is not configured correctly, could deliver a response leading to unrestricted or unregulated resource allocation. This could cause a denial-of-service condition and crash the Kepware application. By default, these functions are turned off, yet they remain accessible for users who recognize and require their advantages.

Affected Software

VendorProductVersion RangeStatus
PTCKepware ThingWorx Kepware ServerV6affected
PTCKepware KEPServerEXV6affected
Software ToolboxTOP ServerV6affected
GEIGSV7.6xaffected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

Workarounds

PTC recommends users take a defense-in-depth stance with regards to their manufacturing networks ensuring proper access control is maintained. Additionally, proper adherence to the Kepware Secure Deployment Guide https://www.ptc.com/support/-/media/support/refdocs/ThingWorx_Kepware_Server/6,-d-,16/secure_deployment_guide_tks.pdf will minimize this threat through accurate configuration and use of the product.

Please refer to this article (login required) https://www.ptc.com/en/support/article/CS423892

for specific information on how this risk may be mitigated in your environment.

If additional questions remain, contact PTC Technical Support. https://support.ptc.com/apps/case_logger_viewer/cs/auth/ssl/log

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References