A serious security vulnerability has been identified in Rockwell Automation’s ControlLogix 1756 devices. This flaw poses the risk of allowing attackers to bypass crucial security measures, thereby executing programming and configuration commands for common industrial protocols, known as CIP (Common Industrial Protocol). Named CVE-2024-6242, this vulnerability has been assigned a CVSS v3.1 score of 8.4, indicating its high severity.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability permits unauthorized manipulation of the Trusted Slot feature within the ControlLogix controllers. If successfully exploited, attackers could potentially issue CIP commands that alter user projects and manipulate device configurations on affected Logix controllers housed within the same chassis.
Discovered by the operational technology security firm Claroty, this vulnerability results from a technique that enables circumvention of the trusted slot framework. This method allows malicious commands to be sent directly to the programming logic controller (PLC) CPU, creating a significant security risk.
The Trusted Slot feature is a critical security measure that is designed to enforce communication policies within the local chassis, denying unauthorized access from untrusted paths. Sharon Brizinov, a security researcher at Claroty, explained that the vulnerability allows malicious actors to navigate through local backplane slots via CIP routing, compromising the security boundary meant to shield the CPU from potentially harmful devices.
Successful exploitation of this vulnerability necessitates network access to the affected device, allowing attackers to issue elevated commands, such as downloading arbitrary logic to the PLC CPU. This risk remains, even for attackers situated behind untrusted network cards.
Rockwell Automation has taken steps to address this vulnerability following responsible disclosure. The fix has been implemented across several device versions, including updates for ControlLogix 5580 (1756-L8z), GuardLogix 5580 (1756-L8zS), and various series of the 1756 network modules.
Brizinov underscored the gravity of the situation, stating that this vulnerability could lead to unauthorized access to critical control systems via the CIP protocol, especially from untrusted slots within the chassis. With the potential for substantial impact on operational technology environments, stakeholders in cybersecurity and industrial automation are urged to update their systems accordingly to mitigate these risks.
As organizations become increasingly reliant on interconnected systems, they must remain vigilant against evolving threats. The incident with Rockwell Automation demonstrates the need for robust security practices and timely updates to safeguard operational technology. The potential tactics used in this attack may align with MITRE ATT&CK framework categories such as initial access, privilege escalation, and exploitation of vulnerabilities, highlighting the importance of comprehensive security measures in industrial settings.
