Defense Against Rockwell Automation ControlLogix Vulnerabilities

Summary

Background

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about vulnerabilities in Rockwell Automation industrial technology that are currently being exploited by an unidentified Advanced Persistent Threat (APT) group. The vulnerabilities have been assigned CVSS scores of 9.8 and 7.5, indicating severe potential risks. They affect a series of communication modules, enabling hackers to potentially control devices, steal data, or manipulate these systems in disruptive or destructive ways.

• CVE-2023-3595 is a vulnerability enabling remote code execution within Rockwell Automation’s Allen-Bradley ControlLogix communication modules. A CVSS v3 evaluation has assigned it a critical risk rating of 9.8.
• CVE-2023-3596 is a Denial of Service (DoS) vulnerability in Rockwell Automation’s Allen-Bradley ControlLogix communication modules. The CVSS v3 evaluation has assigned it a high-risk rating of 7.5.

Cybersecurity firm Dragos assisted in assessing the threat and urges all Operational Technology (OT) companies to update their firmware as soon as possible. Rockwell Automation has released updates for all affected devices. There is no evidence of exploitation in the wild as of mid-July 2023, but users could still be exposed. The targeted product is used in manufacturing, electric, liquefied natural gas, and oil & gas. Breaches in these industries could cause substantial disruption or even destruction if compromised through remote code execution. Cybercriminals could also corrupt incident response data or overwrite parts of the system to sustain their presence.

Overview of vulnerabilities

CVE-2023-3595 is a remote code execution (RCE) vulnerability in Rockwell Automation’s Allen-Bradley ControlLogix 1756 EN2* and 1756 EN3* ControlLogix communication products. Attackers could use it to send specially crafted Common Industrial Protocol (CIP) commands to persistently execute remote code on the target system, including the ability to modify, deny, and disclose data passing through the device. The module must be isolated from the internet to reduce the risk of exploitation.
 
CVE-2023-3596 is a vulnerability in Rockwell Automation’s Allen-Bradley ControlLogix 1756 EN4* EtherNet/IP communication products. Attackers may cause a denial of service by assaulting the target system through maliciously crafted CIP messages.
 
Additional ICS/OT impacts will depend on the configuration of the ControlLogix system and how the process operation is set up. Exploiting this vulnerability could enable an attacker to disrupt the module’s memory, allowing them to corrupt it to:

• Manipulate the firmware
• Insert new functionalities
• Wipe the memory
• Falsify traffic
• Gain persistence

Recommended mitigations

Rockwell Automation recommends that all ICS/OT asset owners identify assets with impacted communication modules and promptly update their Rockwell Automation ControlLogix firmware. Users should take the following actions:

1. Update Firmware: Update EN2* ControlLogix communication modules to firmware revision 11.004; update EN4* ControlLogix communication modules to firmware revision 5.002.
2. Segment Networks Properly: To prevent exploitation, properly segment the Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) networks within the process structure, separating them from the internet and other non-essential networks.
3. Implement Detection Signatures: Implement provided IPS/IDS (e.g., Snort) signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets sent to Rockwell Automation devices. This will aid in identifying and responding to potential threat activities.

 
Further recommendations

Source an OT-specific solution, such as the TXOne EdgeIPS product series that will give you full visibility, protocol filtering, and comes with a prepared set of rules to  block potential attacks and secure individual assets.