Rockwell Automation today announced the availability of firmware updates and published a security advisory addressing critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) in Select Communication Modules used in its ControlLogix controllers. Updates for all affected versions—including those no longer supported by Rockwell Automation—are available as well as detection rules. Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity.
Rockwell Automation Select Communication Modules provide communication links between devices, IT systems, and remote communication. ControlLogix controllers are heavily used across critical infrastructure industries.
The vulnerabilities surfaced after an internal analysis of an exploit capability linked to an unnamed advanced persistent threat actor (APT), Rockwell Automation said. Critical infrastructure operators targeted by APT actors should note that this is an unusual opportunity to understand such a capability belonging to this type of advanced attacker before it’s used in the wild.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell said in its advisory. “Previous threat actors cyber activity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
The two vulnerabilities affect 1756-EN2*, 1756-EN3*, and 1756-EN4* communication modules.
CVE-2023-3595, an out-of-bounds write vulnerability (CWE-787), was assessed a CVSS v3 score of 9.8 by CISA (advisory). They affect EN2* and EN3* modules, and could allow an attacker to gain persistence on a vulnerable system and remotely execute code using maliciously crafted CIP messages. An attacker would be able to modify, deny, and exfiltrate data moving through the controller.
CVE-2023-3596, an out-of-bounds write vulnerability (CWE-787), (CVSS v3: 7.5) affects EN4* products only, and allows an attacker to carry out denial-of-service attacks through crafted CIP messages.
Depending on the user’s configuration of ControlLogix, additional impacts may be possible, Rockwell and CISA said.
“Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process,” Rockwell said in its advisory. “This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”
The full list of affected modules is below:
1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2T Series D: Versions 11.003 and prior
1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TK Series D: Versions 11.003 and prior
1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TXT Series D: Versions 11.003 and prior
1756-EN2TP Series A: Versions 11.003 and prior
1756-EN2TPK Series A: Versions 11.003 and prior
1756-EN2TPXT Series A: Versions 11.003 and prior
1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TR Series C: Versions 11.003 and prior
1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRK Series C: Versions 11.003 and prior
1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRXT Series C: Versions 11.003 and prior
1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2F Series C: Versions 11.003 and prior
1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2FK Series C: Versions 11.003 and prior
1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
1756-EN3TR Series B: Versions 11.003 and prior
1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
1756-EN3TRK Series B: Versions 11.003 and prior
1756-EN4TR Series A: Versions 5.001 and prior
1756-EN4TRK Series A: Versions 5.001 and prior
1756-EN4TRXT Series A: Versions 5.001 and prior
Rockwell urges organizations running affected communications modules to take the following steps as mitigations against these critical flaws:
Firmware Update: EN2* ControlLogix communications modules should be updated to firmware revision 11.0004; EN4* ControlLogix communications modules should be updated to firmware revision 5.002.
Segment: Since network connectivity to a vulnerable module is required for a successful exploit, users should ensure industrial networks are segmented from the internet and enterprise networks.
Signatures: Rockwell has provided a number of Snort signatures users can deploy to monitor for anomalous CIP packets sent to ControlLogix controllers. The Snort rules provided to Claroty by Rockwell follow:
PROTOCOL-SCADA ENIP CIP Socket Object unconnected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object unconnected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 2 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object attribute with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 contains unusual length
CWE-35 Path Traversal:
011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
CWE-522 Insufficiently Protected Credentials:
011209 Intercom does not properly store or protect web server admin credentials.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'):
011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CyberData recommends users update to v22.0.1
CVSS v3: 5.3
CWE-306 Missing Authentication for Critical Function:
011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
CyberData recommends users update to v22.0.1
CVSS v3: 7.5
CWE-288 Authentication Bypass Using an Alternate Path or Channel:
011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CyberData recommends users update to v22.0.1
CVSS v3: 9.8
