A critical security vulnerability [3], identified as CVE-2024-6242 [1] [2], has been disclosed in Rockwell Automation’s ControlLogix and GuardLogix controllers [3].
Description
This flaw, discovered by Claroty, allows threat actors to bypass the Trusted Slot feature [2] [3], potentially leading to unauthorized access to industrial control systems [3]. Attackers can exploit the vulnerability to execute common industrial protocol (CIP) commands [1], altering controller projects and configurations [4], and sending elevated commands to the PLC CPU [1] [4]. Security researcher Sharon Brizinov highlighted the flaw’s potential to expose critical control systems to unauthorized access over the CIP protocol [2]. The vulnerability affects versions V32.016 to V35.011 and specific network modules (1756-EN4TR, 1756-EN2T, 1756-EN2F, 1756-EN2TR, 1756-EN3TR, 1756-EN2TP) [2], allowing attackers to jump between local backplane slots within a 1756 chassis [2]. Rockwell Automation has released firmware updates to address this vulnerability, and users are advised to apply the updates promptly to mitigate the risk of exploitation. Additionally, Claroty has released a Snort rule to detect suspicious CIP Forward Open Requests [3], and organizations are urged to assess their risk exposure and implement necessary updates and mitigations to protect against potential attacks in OT environments [3]. The US CISA has also issued an advisory with mitigation recommendations.
Conclusion
It is crucial for organizations to promptly apply the firmware updates provided by Rockwell Automation to mitigate the risk of exploitation. By implementing necessary updates and mitigations [3], organizations can protect against potential attacks in OT environments [3]. The release of a Snort rule by Claroty to detect suspicious CIP Forward Open Requests further aids in enhancing security measures. The advisory issued by the US CISA underscores the importance of assessing risk exposure and taking proactive steps to safeguard critical control systems.
References
[1] https://securityaffairs.com/166581/ics-scada/rockwell-automation-controllogix-1756-flaw.html
[2] https://cyber.vumetric.com/security-news/2024/08/05/critical-flaw-in-rockwell-automation-devices-allows-unauthorized-access/
[3] https://cybersecuritynews.com/rockwell-automation-devices-flaw-let-hackers-gain-unauthorized-access/
[4] https://www.scmagazine.com/brief/security-bypass-possible-with-now-addressed-rockwell-logix-plc-flaw