Rockwell Automation ControlLogix

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS).

"The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible," Draogos said.

The list of flaws is as follows -

  • CVE-2023-3595 (CVSS score: 9.8) - An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol (CIP) messages.
  • CVE-2023-3596 (CVSS score: 7.5) - An out-of-bounds write flaw impacting 1756 EN4* products that could lead to a DoS condition through maliciously crafted CIP messages.

"Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity," CISA said.

Even worse, the flaws could be abused to potentially overwrite any part of the system to fly under the radar and stay persistent, not to mention render the module untrustworthy.

Impacted devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. Patches have been available by Rockwell Automation to address the issues.

"The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack," the industrial cybersecurity company said. "Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same."

TRISIS, also known as TRITON, is an industrial control systems (ICS) malware that has been previously observed targeting Schneider Electric's Triconex safety instrumented system (SIS) controllers used in oil and gas facilities. A petrochemical plant in Saudi Arabia was discovered as a victim in late 2017, according to Dragos and Mandiant.

Dragos also cautioned it discovered an "unreleased exploit capability leveraging these vulnerabilities" that's associated with an identified nation-state group and that as of mid-July 2023, "there was no evidence of exploitation in the wild and the targeted victim organizations and industry verticals were unknown."

"In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction," Tenable researcher Satnam Narang said of CVE-2023-3595.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.