Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks

Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS).

The list of flaws is as follows –

  • CVE-2023-3595 (CVSS score: 9.8) – An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol (CIP) messages.
  • CVE-2023-3596 (CVSS score: 7.5) – An out-of-bounds write flaw impacting 1756 EN4* products that could lead to a DoS condition through maliciously crafted CIP messages.

Impacted devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. Patches have been available by Rockwell Automation to address the issues.

“The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack,” the industrial cybersecurity company said.

“Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same.”

TRISIS, also known as TRITON, is an industrial control systems (ICS) malware that has been previously observed targeting Schneider Electric’s Triconex safety instrumented system (SIS) controllers used in oil and gas facilities. A petrochemical plant in Saudi Arabia was discovered as a victim in late 2017, according to Dragos and Mandiant.

“In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction,” Tenable researcher Satnam Narang said of CVE-2023-3595.