Rockwell Automation today announced the availability of firmware updates and published a security advisory addressing critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) in Select Communication Modules used in its ControlLogix controllers. Updates for all affected versions—including those no longer supported by Rockwell Automation—are available as well as detection rules. Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity.
Rockwell Automation Select Communication Modules provide communication links between devices, IT systems, and remote communication. ControlLogix controllers are heavily used across critical infrastructure industries.
The vulnerabilities surfaced after an internal analysis of an exploit capability linked to an unnamed advanced persistent threat actor (APT), Rockwell Automation said. Critical infrastructure operators targeted by APT actors should note that this is an unusual opportunity to understand such a capability belonging to this type of advanced attacker before it’s used in the wild.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell said in its advisory. “Previous threat actors cyber activity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
The two vulnerabilities affect 1756-EN2*, 1756-EN3*, and 1756-EN4* communication modules.
CVE-2023-3595, an out-of-bounds write vulnerability (CWE-787), was assessed a CVSS v3 score of 9.8 by CISA (advisory). They affect EN2* and EN3* modules, and could allow an attacker to gain persistence on a vulnerable system and remotely execute code using maliciously crafted CIP messages. An attacker would be able to modify, deny, and exfiltrate data moving through the controller.
CVE-2023-3596, an out-of-bounds write vulnerability (CWE-787), (CVSS v3: 7.5) affects EN4* products only, and allows an attacker to carry out denial-of-service attacks through crafted CIP messages.
Depending on the user’s configuration of ControlLogix, additional impacts may be possible, Rockwell and CISA said.
“Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process,” Rockwell said in its advisory. “This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”
The full list of affected modules is below:
1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2T Series D: Versions 11.003 and prior
1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TK Series D: Versions 11.003 and prior
1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TXT Series D: Versions 11.003 and prior
1756-EN2TP Series A: Versions 11.003 and prior
1756-EN2TPK Series A: Versions 11.003 and prior
1756-EN2TPXT Series A: Versions 11.003 and prior
1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TR Series C: Versions 11.003 and prior
1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRK Series C: Versions 11.003 and prior
1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRXT Series C: Versions 11.003 and prior
1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2F Series C: Versions 11.003 and prior
1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2FK Series C: Versions 11.003 and prior
1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
1756-EN3TR Series B: Versions 11.003 and prior
1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
1756-EN3TRK Series B: Versions 11.003 and prior
1756-EN4TR Series A: Versions 5.001 and prior
1756-EN4TRK Series A: Versions 5.001 and prior
1756-EN4TRXT Series A: Versions 5.001 and prior
Rockwell urges organizations running affected communications modules to take the following steps as mitigations against these critical flaws:
Firmware Update: EN2* ControlLogix communications modules should be updated to firmware revision 11.0004; EN4* ControlLogix communications modules should be updated to firmware revision 5.002.
Segment: Since network connectivity to a vulnerable module is required for a successful exploit, users should ensure industrial networks are segmented from the internet and enterprise networks.
Signatures: Rockwell has provided a number of Snort signatures users can deploy to monitor for anomalous CIP packets sent to ControlLogix controllers. The Snort rules provided to Claroty by Rockwell follow:
PROTOCOL-SCADA ENIP CIP Socket Object unconnected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object unconnected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 2 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object attribute with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 contains unusual length
CWE-121 STACK-BASED BUFFER OVERFLOW:
Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Affected Vertiv products do not properly protect webserver functions that could allow an attacker to bypass authentication.
Vertiv recommends users take the following actions:
CVSS v3: 9.8
CWE 287: Improper Authentication
An Improper Authentication vulnerability exists in Danfoss AK-SM8xxA Series, resulting in an authentication bypass. Install the latest patch with number 4.2 to remediate this vulnerability. This flaw could enable an attacker to generate a web report that discloses sensitive information such as internal IP addresses, usernames, store names, and other sensitive information.e
CVSS v3: 8.2
CWE-798 USE OF HARD-CODED CREDENTIALS:
In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.
Optigo Networks recommends users implement at least one of the following additional mitigations:
CVSS v3: 9.8
CWE-78 Improper Neutralization of Special Elements used in an OS Command:
A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.
Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:
CVSS v3: 9.8
