A high-severity safety bypass vulnerability has been disclosed in Rockwell Automation ControlLogix 1756 units that could possibly be exploited to execute widespread industrial protocol (CIP) programming and configuration instructions.
The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 rating of 8.4.
“A vulnerability exists within the affected merchandise that enables a risk actor to bypass the Trusted Slot function in a ControlLogix controller,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) stated in an advisory.
“If exploited on any affected module in a 1756 chassis, a risk actor may probably execute CIP instructions that modify consumer initiatives and/or system configuration on a Logix controller within the chassis.”
Operational know-how safety firm Claroty, which found and reported the vulnerability, stated it developed a method that made it potential to bypass the trusted slot function and ship malicious instructions to the programming logic controller (PLC) CPU.
The trusted slot function “enforces safety insurance policies and permits the controller to disclaim communication through untrusted paths on the native chassis,” safety researcher Sharon Brizinov stated.
“The vulnerability we discovered, earlier than it was mounted, allowed an attacker to leap between native backplane slots inside a 1756 chassis utilizing CIP routing, traversing the safety boundary meant to guard the CPU from untrusted playing cards.”
Whereas a profitable exploit requires community entry to the system, an attacker may reap the benefits of the flaw to ship elevated instructions, together with downloading arbitrary logic to the PLC CPU, even when the attacker is situated behind an untrusted community card.
Following accountable disclosure, the shortcoming has been addressed within the following variations –
- ControlLogix 5580 (1756-L8z) – Replace to variations V32.016, V33.015, V34.014, V35.011, and later.
- GuardLogix 5580 (1756-L8zS) – Replace to variations V32.016, V33.015, V34.014, V35.011 and later.
- 1756-EN4TR – Replace to variations V5.001 and later.
- 1756-EN2T Sequence D, 1756-EN2F Sequence C, 1756-EN2TR Sequence C, 1756-EN3TR Sequence B, and 1756-EN2TP Sequence A – Replace to model V12.001 and later
“This vulnerability had the potential to reveal essential management methods to unauthorized entry over the CIP protocol that originated from untrusted chassis slots,” Brizinov stated.