A high-severity safety bypass vulnerability has been disclosed in Rockwell Automation ControlLogix 1756 gadgets that may very well be exploited to execute frequent industrial protocol (CIP) programming and configuration instructions.
The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 rating of 8.4.
“A vulnerability exists within the affected merchandise that enables a menace actor to bypass the Trusted Slot function in a ControlLogix controller,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) mentioned in an advisory.
“If exploited on any affected module in a 1756 chassis, a menace actor might probably execute CIP instructions that modify person initiatives and/or machine configuration on a Logix controller within the chassis.”
Operational expertise safety firm Claroty, which found and reported the vulnerability, mentioned it developed a way that made it doable to bypass the trusted slot function and ship malicious instructions to the programming logic controller (PLC) CPU.
The trusted slot function “enforces safety insurance policies and permits the controller to disclaim communication through untrusted paths on the native chassis,” safety researcher Sharon Brizinov mentioned.
“The vulnerability we discovered, earlier than it was mounted, allowed an attacker to leap between native backplane slots inside a 1756 chassis utilizing CIP routing, traversing the safety boundary meant to guard the CPU from untrusted playing cards.”
Whereas a profitable exploit requires community entry to the machine, an attacker might make the most of the flaw to ship elevated instructions, together with downloading arbitrary logic to the PLC CPU, even when the attacker is situated behind an untrusted community card.
Following accountable disclosure, the shortcoming has been addressed within the following variations –
- ControlLogix 5580 (1756-L8z) – Replace to variations V32.016, V33.015, V34.014, V35.011, and later.
- GuardLogix 5580 (1756-L8zS) – Replace to variations V32.016, V33.015, V34.014, V35.011 and later.
- 1756-EN4TR – Replace to variations V5.001 and later.
- 1756-EN2T Collection D, 1756-EN2F Collection C, 1756-EN2TR Collection C, 1756-EN3TR Collection B, and 1756-EN2TP Collection A – Replace to model V12.001 and later
“This vulnerability had the potential to show important management methods to unauthorized entry over the CIP protocol that originated from untrusted chassis slots,” Brizinov mentioned.
