US CISA warns of Rockwell Automation ControlLogix flaws

Pierluigi Paganini July 14, 2023

The U.S. CISA warns of two flaws impacting Rockwell Automation ControlLogix that can lead to remote code execution and DoS attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities affecting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and trigger a denial-of-service condition.

The first vulnerability, tracked as CVE-2023-3595 (CVSS score: 9.8), is an out-of-bounds write flaw that impacts 1756 EN2* and 1756 EN3* products. An attacker can trigger the vulnerability to achieve arbitrary code execution with persistence on the target system by sending maliciously crafted common industrial protocol (CIP) messages to the vulnerable devices

The second vulnerability, tracked as CVE-2023-3596 (CVSS score: 7.5), is an out-of-bounds write flaw impacting 1756 EN4* products. An attacker can trigger the flaw by sending maliciously crafted CIP messages to the vulnerable devices causing a DoS condition.

“CISA released one Critical Industrial Control Systems (ICS) advisory on July 12, 2023.” reads the advisory published by CISA. “This advisory provides timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.”

“Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity.” continues the ICS advisory.

Impacted devices are 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT.

CISO recommends installing firmware updates released by Rockwell Automation, it also suggests to properly segmenting networks and implementing detection signatures.

In coordination with the U.S. government, Rockwell Automation has analyzed exploits developed by APT groups and targeting communication modules by Rockwell Automation in specific ControlLogix EtherNet/IP (ENIP) communication module models. The attackers developed exploits for the above issues , researchers from ICS cybersecurity firm Dragos reported.

“The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible.” reads the advisory published by Dragos. “Dragos advises all ICS/OT asset owners to identify assets with impacted communications modules and update their Rockwell Automation ControlLogix firmware to the latest version as soon as possible.

The researchers pointed out that the exploitation of the flaw CVE-2023-3595 is similar to the exploitation of the zero-day issue employed by XENOTIME in the TRISIS attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ICS)

you might also like

leave a comment