Rockwell Automation today announced the availability of firmware updates and published a security advisory addressing critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) in Select Communication Modules used in its ControlLogix controllers. Updates for all affected versions—including those no longer supported by Rockwell Automation—are available as well as detection rules. Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity.
Rockwell Automation Select Communication Modules provide communication links between devices, IT systems, and remote communication. ControlLogix controllers are heavily used across critical infrastructure industries.
The vulnerabilities surfaced after an internal analysis of an exploit capability linked to an unnamed advanced persistent threat actor (APT), Rockwell Automation said. Critical infrastructure operators targeted by APT actors should note that this is an unusual opportunity to understand such a capability belonging to this type of advanced attacker before it’s used in the wild.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell said in its advisory. “Previous threat actors cyber activity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
The two vulnerabilities affect 1756-EN2*, 1756-EN3*, and 1756-EN4* communication modules.
CVE-2023-3595, an out-of-bounds write vulnerability (CWE-787), was assessed a CVSS v3 score of 9.8 by CISA (advisory). They affect EN2* and EN3* modules, and could allow an attacker to gain persistence on a vulnerable system and remotely execute code using maliciously crafted CIP messages. An attacker would be able to modify, deny, and exfiltrate data moving through the controller.
CVE-2023-3596, an out-of-bounds write vulnerability (CWE-787), (CVSS v3: 7.5) affects EN4* products only, and allows an attacker to carry out denial-of-service attacks through crafted CIP messages.
Depending on the user’s configuration of ControlLogix, additional impacts may be possible, Rockwell and CISA said.
“Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process,” Rockwell said in its advisory. “This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”
The full list of affected modules is below:
1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2T Series D: Versions 11.003 and prior
1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TK Series D: Versions 11.003 and prior
1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TXT Series D: Versions 11.003 and prior
1756-EN2TP Series A: Versions 11.003 and prior
1756-EN2TPK Series A: Versions 11.003 and prior
1756-EN2TPXT Series A: Versions 11.003 and prior
1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TR Series C: Versions 11.003 and prior
1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRK Series C: Versions 11.003 and prior
1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRXT Series C: Versions 11.003 and prior
1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2F Series C: Versions 11.003 and prior
1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2FK Series C: Versions 11.003 and prior
1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
1756-EN3TR Series B: Versions 11.003 and prior
1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
1756-EN3TRK Series B: Versions 11.003 and prior
1756-EN4TR Series A: Versions 5.001 and prior
1756-EN4TRK Series A: Versions 5.001 and prior
1756-EN4TRXT Series A: Versions 5.001 and prior
Rockwell urges organizations running affected communications modules to take the following steps as mitigations against these critical flaws:
Firmware Update: EN2* ControlLogix communications modules should be updated to firmware revision 11.0004; EN4* ControlLogix communications modules should be updated to firmware revision 5.002.
Segment: Since network connectivity to a vulnerable module is required for a successful exploit, users should ensure industrial networks are segmented from the internet and enterprise networks.
Signatures: Rockwell has provided a number of Snort signatures users can deploy to monitor for anomalous CIP packets sent to ControlLogix controllers. The Snort rules provided to Claroty by Rockwell follow:
PROTOCOL-SCADA ENIP CIP Socket Object unconnected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object unconnected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 2 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object attribute with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 contains unusual length
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
CWE-321 USE OF HARD-CODED CRYPTOGRAPHIC KEY:
In 2N Access Commander Versions 1.14 and prior, an attacker, who needs to have administrative access privileges, can read hardcoded AES passphrases, which may be used for decryption of certain data within backup files of 2N Access Commander Version 1.14 and older.
2N advises updating to Access Commander Version 3.3
CVSS v3: 6.0
CWE-295 IMPROPER CERTIFICATE VALIDATION:
MicroDicom DICOM Viewer fails to adequately verify the update server's certificate, which could make it possible for attackers in a privileged network position to alter network traffic and carry out a machine-in-the-middle (MITM) attack. This allows the attackers to modify the server's response and deliver a malicious update to the user.
MicroDicom recommends users upgrade to DICOM Viewer version 2025.1
CVSS v3: 5.7
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'):
AutomationDirect C-more EA9 HMI contains a function with bounds checks that can be skipped, which could result in an attacker abusing the function to cause a denial-of-service condition or achieving remote code execution on the affected device.
AutomationDirect recommends that users update C-MORE EA9 HMI software and firmware to V6.80
CVSS v3: 9.8
CWE-476 NULL POINTER DEREFERENCE:
The affected product is vulnerable to a NULL Dereference vulnerability, which could allow a remote attacker to create a denial-of-service condition. Successful exploitation of this vulnerability could could result in a remote attacker causing a denial-of-service condition on the affected devices.
Belledonne Communications recommends users implement the fix in Version 5.3.99 of the linphone-sdk.
CVSS v3: 7.5
