Rockwell reveals ControlLogix vulnerabilities affect communication modules deployed across critical infrastructure

Rockwell Automation has detected multiple vulnerabilities in specific Allen-Bradley ControlLogix EtherNet/IP (ENIP) communication module models, 1756-EN2, 1756-EN3 (CVE-2023-3595), and 1756-EN4 (CVE-2023-3596). The company, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advanced Persistent Threat (APT) hackers affecting select communication modules. These ControlLogix communications modules are deployed across critical infrastructure sectors, including energy, transportation, and water, among others.

“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear,” Rockwell said in its Wednesday advisory. “Previous threat actors cyber activity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.”

The advisory added that the exploitation of these vulnerabilities could allow malicious actors to gain remote access to the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. “This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”

The CVE-2023-3595 allows for arbitrary manipulation of firmware memory, which could lead to denial or loss of control, denial or loss of view, theft of operational information, or manipulation of control and manipulation of view for disruptive or destructive consequences, while the CVE-2023-3596 could lead to denial or loss of view or denial of control of the industrial process. These communications modules are part of the ControlLogix system and are present in multiple industrial verticals, including, but not limited to manufacturing, electric, oil and gas, and liquified natural gas. 

In its advisory on the Rockwell vulnerabilities, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that “successful exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity.”

Rockwell called upon organizations to further secure ControlLogix communications modules from exploitation by updating EN2* ControlLogix communications modules to firmware revision 11.004 and updating EN4* ControlLogix communications modules to firmware revision 5.002. It also recommended network segmentation and implementation of detection signatures. 

“Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks,” the Rockwell advisory said. “Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices,” it added.

Additionally, organizations should increase protections of ICS/SCADA networks by implementing regular backup devices to allow for reversion to a clean copy of firmware or a working project; disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects; block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and monitor CIP traffic for unexpected content or unusual packets lengths.

Furthermore, system owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, system owners can look for potential IOCs (Indicators of Compromise) for ControlLogix communications modules. These include unknown scanning on a network for CIP-enabled devices; unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects; arbitrary writes to communication module memory or firmware; unexpected firmware updates; unexpected disabling of secure boot options; and uncommon firmware file names.

As an ICS/OT threat intelligence partner, Dragos worked in advance of the disclosure of CVE-2023-3595 and CVE-2023-3596 to coordinate and help assess the extent of the threat, the company said in a blog post. “Dragos leveraged Neighborhood Keeper, its collective defense and anonymized community-wide visibility solution, as well as OT Watch to evaluate and determine the prevalence of vulnerable devices. This enabled Dragos to use real-time insights to enhance the detections in partnership with Rockwell Automation.” 

Dragos added that these detections were made immediately available to Dragos Platform customers enrolled in OT Watch and Neighborhood Keeper. “In addition, they will be available in the upcoming Knowledge Pack release. The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible.” 

The post added that knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense for critical industrial sectors. “The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack. Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same.”

Additionally, in both cases, there exists the potential to corrupt the information used for incident response and recovery. The attacker could potentially overwrite any part of the system to hide and stay persistent, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection. The exploitation of this type of vulnerability renders the communication module untrustworthy, and it would need to be de-commissioned and sent back to the vendor for analysis.

“Based on analysis by the Dragos Threat Intelligence team using first-party data, as of mid-July 2023 there was no evidence of exploitation in the wild and the targeted victim organizations and industry verticals were unknown,” according to the post. “Threat activity is subject to change and customers using affected products could face serious risk if exposed.”

Dragos advises ICS/OT asset owners to identify assets with impacted communications modules and update their Rockwell Automation ControlLogix firmware to the latest version as soon as possible.

To identify affected systems, industrial cybersecurity vendor Tenable has released plugins for Tenable OT Security (formerly Tenable[dot]ot), Tenable Vulnerability Management (formerly Tenable[dot]io), Tenable Security Center (formerly Tenable[dot]sc), and Tenable Nessus. 

“For urgency, Tenable customers can utilize the SCADA plugin to scan for vulnerable devices using Tenable Vulnerability Management, Tenable Security Center, and Tenable Nessus,” Satnam Narang, senior staff research engineer, wrote in a company blog post. “However, for greater visibility regarding the impact to your networks, we strongly encourage customers to utilize our Tenable OT Security plugins,” the post added.

In addition to these plugins, Tenable Research recommends customers use IDS event rule IDs (SIDs) in Tenable OT Security to detect potentially compromised communications adapters. 

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support, the company said in its advisory. Detection rules have also been provided. Customers using the affected products are encouraged to evaluate and implement the mitigations provided. Additional details relating to the discovered vulnerabilities, including products in scope, impact, and recommended countermeasures. 

Last April, Claroty’s research arm Team82 and Rockwell provided details about two vulnerabilities in Rockwell programmable logic controllers (PLCs) and engineering workstation software, deployed globally across multiple critical infrastructure sectors. The modified code could be downloaded to a PLC, while the engineer at the workstation would likely see the process running as expected, reminiscent of Stuxnet and the Rogue7 attacks. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.