Rockwell Automation ControlLogix Bugs Exposing Industrial Systems to Remote Attacks
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of two security flaws affecting the Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module model that can be exploited to achieve remote code execution and denial-of-service (DoS).
“The outcome and impact of exploiting these vulnerabilities varies depending on ControlLogix system configuration, but they can lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of controls for disruptive or damaging consequences to system industrial processes for which they are responsible. replied the ControlLogix system,” Draogos said.
The list of cons is as follows –
- CVE-2023-3595 (CVSS score: 9.8) – Over-limit write flaw impacting 1756 EN2* and 1756 EN3* products that could result in persistent arbitrary code execution on target systems via maliciously crafted common industry protocol (CIP) messages.
- CVE-2023-3596 (CVSS score: 7.5) – An out-of-bounds write flaw impacting 1756 EN4* products that could cause a DoS condition via a maliciously crafted CIP message.
“Successful exploitation of this vulnerability could allow a malicious actor to gain remote access to running module memory and perform malicious activity,” CISA said.
Even worse, flaws can be abused to potentially override any part of the system to fly under the radar and stay afloat, not to mention render the module untrustworthy.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
Affected devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK , 1756- EN3TR , 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. A patch has been made available by Rockwell Automation to address the issue.
The access type provided by CVE-2023-3595 is similar to the zero-day used by Xenotime in TRISIS attack,” says the industrial cybersecurity firm. “Both allow arbitrary manipulation of firmware memory, though CVE-2023-3595 targets the communications module responsible for handling network commands. However, the effect is the same.”
TRISIS, also known as TRITON, is a former industrial control system (ICS) malware observed targeting Schneider Electric’s Triconex safety instrumented system (SIS) controller used in oil and gas facilities. A petrochemical plant in Saudi Arabia was discovered as a victim in late 2017, according to Dragos and Mandiant.
Dragos warns that it found “unreleased exploit capabilities that take advantage of this vulnerability” related to the identified group of nation-states and that as of mid-July 2023, “there is no evidence of exploitation in the wild and targeted victim organizations and industry verticals are unknown.” .”
“Apart from compromising the vulnerable module itself, the vulnerability could also allow attackers to influence industrial processes along with underlying critical infrastructure, which could result in possible disruption or destruction,” researcher Tenable Satnam Narang said from CVE-2023-3595.
