Severe Vulnerability in Rockwell Automation ControlLogix Devices Exposed to Unauthorized Access

By /
rockwell automation

A high-severity security bypass vulnerability has been discovered in Rockwell Automation ControlLogix 1756 devices. This flaw, identified as CVE-2024-6242, carries a CVSS v3.1 score of 8.4, indicating its potential for considerable harm.

Vulnerability Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding this critical flaw, which permits threat actors to bypass the Trusted Slot feature in ControlLogix controllers. This vulnerability enables malicious actors to execute Common Industrial Protocol (CIP) programming and configuration commands on affected modules in a 1756 chassis.

“If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis,” CISA stated in their advisory.

Discovery and Exploitation

Claroty, an operational technology security company, discovered and reported the vulnerability. The firm’s researchers developed a method to bypass the Trusted Slot feature, allowing them to send malicious commands to the programming logic controller (PLC) CPU.

“The trusted slot feature enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis,” explained Sharon Brizinov, a security researcher at Claroty. “The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards.”

Technical Details

To exploit this vulnerability, an attacker would need network access to the device. Despite the necessity for network access, the flaw’s potential impact is severe. An attacker could leverage this vulnerability to send elevated commands, including downloading arbitrary logic to the PLC CPU, even from behind an untrusted network card.

Brizinov elaborated, “This vulnerability had the potential to expose critical control systems to unauthorized access over the CIP protocol that originated from untrusted chassis slots.”

Mitigation and Updates

Following responsible disclosure, Rockwell Automation has addressed this vulnerability in several updated versions of their products. Users are strongly advised to update their devices to the following versions:

  • ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
  • GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
  • 1756-EN4TR: Update to versions V5.001 and later.
  • 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later.
cisa

Industry Impact

The discovery of this vulnerability underscores the importance of rigorous security practices in industrial control systems. The potential for unauthorized access to critical control systems poses a significant risk to operational integrity and safety. As industrial environments become increasingly connected, the attack surface for potential threats expands, necessitating vigilant cybersecurity measures.

Recommendations

For organizations using Rockwell Automation ControlLogix devices, immediate action is recommended. Updating to the latest firmware versions is crucial to mitigate the risk posed by this vulnerability. Additionally, implementing network segmentation and access controls can further reduce the likelihood of unauthorized access.

Regularly reviewing and updating security protocols, coupled with staying informed about new vulnerabilities and patches, is essential for maintaining robust cybersecurity defenses. Collaborating with security researchers and promptly addressing reported vulnerabilities also plays a critical role in protecting industrial systems from emerging threats.

Conclusion

The disclosure of CVE-2024-6242 highlights the ongoing challenges and complexities in securing industrial control systems. As cyber threats evolve, so must the security measures and practices employed to protect critical infrastructure. By addressing this vulnerability and reinforcing security protocols, organizations can better safeguard their operations against unauthorized access and potential disruptions.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Magniber Ransomware Surge Hits Home Users Globally with Demanding Ransoms

Scroll to Top