Rockwell Automation reports multiple flaws in DataMosaix Private Cloud platform

Rockwell Automation is reporting multiple security vulnerabilities in their DataMosaix Private Cloud platform, a system widely deployed in critical manufacturing infrastructure worldwide. The vulnerabilities were reported directly to CISA by Rockwell Automation.

The vulnerabilities include:

• CVE-2020-11656, (CVSS v4 score 9.3) - SQLite Vulnerability - a Use-after-free vulnerability in SQLite's ALTER TABLE implementation. It's exploitable through ORDER BY clauses in compound SELECT statements and no authentication required. Remote exploitation possible with low attack complexity and can be chained with the next flaw for increased impact.
  • Affects Versions 7.09 and prior
• CVE-2024-11932 (CVSS score 7.0) - Path Traversal Vulnerability. It allows file overwriting outside intended directories, but requires administrative privileges. If exploited, it can result in report and user project corruption
  • Affects Version 7.11 and prior

The vulnerabilities could allow attackers to overwrite reports and user projects, potentially affecting critical manufacturing operations. Given the worldwide deployment of these systems and their use in critical infrastructure, the potential impact is significant.

Rockwell Automation has released version v7.11.01 which addresses both vulnerabilities. The company strongly recommends users to update to the latest version immediately, isolate the systems in a separate network and follow CISA's recommended defensive measures

CISA reports no known public exploitation of these vulnerabilities at the time of disclosure.