Overview of the Vulnerability
A significant security flaw has been identified in Rockwell Automation’s ControlLogix 1756 devices, which could allow unauthorized access to system programming and configuration via the common industrial protocol (CIP). This vulnerability, labeled CVE-2024-6242, has been assigned a high-severity score of 8.4 according to the CVSS v3.1 standard.
you might be interested in: Chrome Adds Password Verification for Archive Scans
Details from CISA Advisory
The United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning, highlighting that an attacker could bypass the Trusted Slot feature in these controllers. The advisory states, “An attacker can exploit this vulnerability to issue CIP commands that may alter user projects or the device configuration within a Logix controller in the affected chassis.”
Discovery and Exploitation Method
The flaw was discovered by the cybersecurity firm Claroty, which explained that it could enable an attacker to send unauthorized commands to the PLC CPU without using the trusted slot feature. Security expert Sharon Brizinov noted that the trusted slot function is designed to enforce security rules and prevent communication through untrusted pathways within the local chassis.
However, the vulnerability allowed attackers to navigate through local backplane slots in a 1756 chassis using CIP routing, thereby crossing the security boundary intended to protect the CPU. This could enable an attacker to upload malicious logic to the PLC CPU, even if they are connected through an untrusted network card. It’s important to note that for a successful exploit, network access to the device is required.
Affected Devices and Patch Information
The issue has been addressed in the following software updates:
- ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
- GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011, and later.
- 1756-EN4TR: Upgrade to version V5.001 and above.
- 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later.
Conclusion
Brizinov emphasized that this vulnerability posed a serious risk, potentially exposing critical control systems to unauthorized access via the CIP protocol from untrusted chassis slots. Users of the affected systems are strongly urged to update their devices to the latest versions to mitigate this security threat.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.