A high-severity security bypass vulnerability has been disclosed in Rockwell Automation ControlLogix 1756 units that may very well be exploited to execute widespread industrial protocol (CIP) programming and configuration instructions.
The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 rating of 8.4.
“A vulnerability exists within the affected merchandise that permits a risk actor to bypass the Trusted Slot function in a ControlLogix controller,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) stated in an advisory.
“If exploited on any affected module in a 1756 chassis, a risk actor may doubtlessly execute CIP instructions that modify person tasks and/or gadget configuration on a Logix controller within the chassis.”
Operational know-how security firm Claroty, which found and reported the vulnerability, stated it developed a way that made it attainable to bypass the trusted slot function and ship malicious instructions to the programming logic controller (PLC) CPU.
The trusted slot function “enforces security insurance policies and permits the controller to disclaim communication through untrusted paths on the native chassis,” security researcher Sharon Brizinov stated.
“The vulnerability we discovered, earlier than it was mounted, allowed an attacker to leap between native backplane slots inside a 1756 chassis utilizing CIP routing, traversing the security boundary meant to guard the CPU from untrusted playing cards.”
Whereas a profitable exploit requires community entry to the gadget, an attacker may benefit from the flaw to ship elevated instructions, together with downloading arbitrary logic to the PLC CPU, even when the attacker is positioned behind an untrusted community card.
Following accountable disclosure, the shortcoming has been addressed within the following variations –
- ControlLogix 5580 (1756-L8z) – Replace to variations V32.016, V33.015, V34.014, V35.011, and later.
- GuardLogix 5580 (1756-L8zS) – Replace to variations V32.016, V33.015, V34.014, V35.011 and later.
- 1756-EN4TR – Replace to variations V5.001 and later.
- 1756-EN2T Collection D, 1756-EN2F Collection C, 1756-EN2TR Collection C, 1756-EN3TR Collection B, and 1756-EN2TP Collection A – Replace to model V12.001 and later
“This vulnerability had the potential to reveal essential management methods to unauthorized entry over the CIP protocol that originated from untrusted chassis slots,” Brizinov stated.