Rockwell Automation today announced the availability of firmware updates and published a security advisory addressing critical vulnerabilities (CVE-2023-3595 and CVE-2023-3596) in Select Communication Modules used in its ControlLogix controllers. Updates for all affected versions—including those no longer supported by Rockwell Automation—are available as well as detection rules. Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity.
Rockwell Automation Select Communication Modules provide communication links between devices, IT systems, and remote communication. ControlLogix controllers are heavily used across critical infrastructure industries.
The vulnerabilities surfaced after an internal analysis of an exploit capability linked to an unnamed advanced persistent threat actor (APT), Rockwell Automation said. Critical infrastructure operators targeted by APT actors should note that this is an unusual opportunity to understand such a capability belonging to this type of advanced attacker before it’s used in the wild.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell said in its advisory. “Previous threat actors cyber activity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers.”
The two vulnerabilities affect 1756-EN2*, 1756-EN3*, and 1756-EN4* communication modules.
CVE-2023-3595, an out-of-bounds write vulnerability (CWE-787), was assessed a CVSS v3 score of 9.8 by CISA (advisory). They affect EN2* and EN3* modules, and could allow an attacker to gain persistence on a vulnerable system and remotely execute code using maliciously crafted CIP messages. An attacker would be able to modify, deny, and exfiltrate data moving through the controller.
CVE-2023-3596, an out-of-bounds write vulnerability (CWE-787), (CVSS v3: 7.5) affects EN4* products only, and allows an attacker to carry out denial-of-service attacks through crafted CIP messages.
Depending on the user’s configuration of ControlLogix, additional impacts may be possible, Rockwell and CISA said.
“Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process,” Rockwell said in its advisory. “This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”
The full list of affected modules is below:
1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2T Series D: Versions 11.003 and prior
1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TK Series D: Versions 11.003 and prior
1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
1756-EN2TXT Series D: Versions 11.003 and prior
1756-EN2TP Series A: Versions 11.003 and prior
1756-EN2TPK Series A: Versions 11.003 and prior
1756-EN2TPXT Series A: Versions 11.003 and prior
1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TR Series C: Versions 11.003 and prior
1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRK Series C: Versions 11.003 and prior
1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2TRXT Series C: Versions 11.003 and prior
1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2F Series C: Versions 11.003 and prior
1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
1756-EN2FK Series C: Versions 11.003 and prior
1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
1756-EN3TR Series B: Versions 11.003 and prior
1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
1756-EN3TRK Series B: Versions 11.003 and prior
1756-EN4TR Series A: Versions 5.001 and prior
1756-EN4TRK Series A: Versions 5.001 and prior
1756-EN4TRXT Series A: Versions 5.001 and prior
Rockwell urges organizations running affected communications modules to take the following steps as mitigations against these critical flaws:
Firmware Update: EN2* ControlLogix communications modules should be updated to firmware revision 11.0004; EN4* ControlLogix communications modules should be updated to firmware revision 5.002.
Segment: Since network connectivity to a vulnerable module is required for a successful exploit, users should ensure industrial networks are segmented from the internet and enterprise networks.
Signatures: Rockwell has provided a number of Snort signatures users can deploy to monitor for anomalous CIP packets sent to ControlLogix controllers. The Snort rules provided to Claroty by Rockwell follow:
PROTOCOL-SCADA ENIP CIP Socket Object unconnected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object unconnected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected read with unusual length detected
PROTOCOL-SCADA ENIP CIP Socket Object connected ucmm read with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 2 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object attribute with unusual length detected
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 1 contains unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 2 with unusual length
PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 contains unusual length
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
