CVE-2024-8603 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity
Vendor: B&R
Equipment: Automation Runtime
Vulnerability: Use of a Broken or Risky Cryptographic Algorithm
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to masquerade as legitimate services on impacted devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
B&R reports that the following products are affected:
B&R Automation Runtime: versions prior to 6.1
B&R mapp View: versions prior to 6.1
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
A "Use of a Broken or Risky Cryptographic Algorithm" vulnerability in the SSL/TLS component used in B&R Automation Runtime versions <6.1 and B&R mapp View versions <6.1 may be abused by unauthenticated network-based attackers to masquerade as legitimate services on impacted devices.
CVE-2024-8603 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Austria
3.4 RESEARCHER
ABB PSIRT reported this vulnerability to CISA.
4. MITIGATIONS
B&R has identified the following specific workarounds and mitigations users can apply to reduce risk:
All affected products: The problem is corrected in the following product versions: B&...
CVSS: HIGH (8.2) EPSS Score: 0.04%
January 28th, 2025 (5 months ago)
|
![]() |
Description: A Threat Actor Claims to be Selling Unauthorized VPN Access to an Electrical Manufacturing Organization in Taiwan
January 28th, 2025 (5 months ago)
|
![]() |
Description: Cryptojacking may be stealthy, but its impact is anything but. From inflated cloud bills to sluggish performance, it's a threat that companies can't ignore. Learn more from Pentera about how automated security validation can protect your org from these threats. [...]
January 28th, 2025 (5 months ago)
|
![]() |
Description: Education software giant PowerSchool has started notifying individuals in the U.S. and Canada whose personal data was exposed in a late December 2024 cyberattack. [...]
January 28th, 2025 (5 months ago)
|
![]() |
Description: Discover key insights from Recorded Future's 2024 report on cyber threats, criminal networks, SaaS identity risks, and strategies for 2025 cybersecurity.
January 28th, 2025 (5 months ago)
|
![]() |
|
![]() |
Description: Chinese AI model DeepSeek R1, hailed as a major breakthrough in reasoning capabilities, has been found to be highly vulnerable to security exploits, allowing it to generate harmful content, including malware, disinformation, and instructions for criminal activities. A recent investigation by cyber-intelligence firm KELA revealed that the model is particularly easy to jailbreak, posing a …
The post Chinese AI DeepSeek R1 Is a Privacy and Security Nightmare appeared first on CyberInsider.
January 28th, 2025 (5 months ago)
|
![]() |
Description: Quantum computing will bring new security risks. Both professionals and legislators need to use this time to prepare.
January 28th, 2025 (5 months ago)
|
![]() |
Description: Cybersecurity researchers have disclosed details of a now-patched account takeover vulnerability affecting a popular online travel service for hotel and car rentals.
"By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf – including
January 28th, 2025 (5 months ago)
|
![]() |
Description: Microsoft has started testing a new "scareware blocker" feature for the Edge web browser on Windows PCs, which uses machine learning (ML) to detect tech support scams. [...]
January 28th, 2025 (5 months ago)
|