Background
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability in industrial technology based on information provided by Rockwell Automation, which is currently being exploited by an unidentified Advanced Persistent Threat (APT) group. The vulnerabilities, known as CVE-2023-3595 and CVE-2023-3596, have been assigned CVSS scores of 9.8 and 7.5, respectively, indicating severe potential risks. These vulnerabilities affect a series of communication modules, enabling hackers to potentially control devices, steal data, or manipulate these devices in disruptive or destructive ways.
- CVE-2023-3595 is a vulnerability enabling remote code execution within Rockwell Automation’s Allen-Bradley ControlLogix communication modules. According to CVSS v3 evaluation, it has been assigned a critical risk rating of 9.8.
- CVE-2023-3596 is a Denial of Service (DoS) vulnerability found in Rockwell Automation’s Allen-Bradley ControlLogix communication modules. According to CVSS v3 evaluation, it has been assigned a high-risk rating of 7.5.
Cybersecurity firm Dragos assisted in assessing the threat and has urged all Operational Technology (OT) companies to update their firmware as soon as possible. Rockwell Automation has released updates for all affected devices. Although there’s no evidence of exploitation in the wild as of mid-July 2023, companies using the affected products could be exposed to severe risks. The targeted product, which is commonly used in the manufacturing, electric, oil, gas, and liquefied natural gas industries, could cause substantial disruption or even destruction if compromised through remote code execution. In addition, cyber criminals could corrupt incident response data or overwrite parts of the system to sustain their presence.
Overview of Vulnerabilities
CVE-2023-3595 is a remote code execution (RCE) vulnerability in Rockwell Automation’s Allen-Bradley ControlLogix communication modules, specifically within the 1756 EN2* and 1756 EN3* ControlLogix communication products. Attackers could exploit this vulnerability by sending specially crafted Common Industrial Protocol (CIP) commands to persistently execute remote code on the target system. This includes the ability to modify, deny, and disclose data passing through the device. If the module is not isolated from the internet, the risk of exploitation increases.
On the other hand, CVE-2023-3596 is a vulnerability present in Rockwell Automation’s Allen-Bradley ControlLogix 1756 EN4* EtherNet/IP communication products. Attackers may cause a denial of service by assaulting the target system through maliciously crafted CIP messages.
Additional ICS/OT impacts will depend on the configuration of the ControlLogix system and how the process operation is set up. According to Rockwell and CISA, successful exploitation of this vulnerability could enable an attacker to disrupt the vulnerable module’s memory, allowing the attacker to:
- Manipulate the firmware of the module
- Insert new functionalities into the module
- Wipe the memory of the module
- Falsify traffic between modules
- Gain persistence on the module
Recommended Mitigations
Rockwell Automation has released immediate mitigation measures and recommends all ICS/OT asset owners to identify assets with impacted communication modules, and promptly update their Rockwell Automation ControlLogix firmware to the latest version. To further secure ControlLogix communication modules from potential exploitation, the users of ControlLogix communication modules are recommended to take the following actions:
- Update Firmware: It’s recommended that EN2* ControlLogix communication modules be updated to firmware revision 11.004, and EN4* ControlLogix communication modules to firmware revision 5.002.
- Segment Networks Properly: To prevent cyber actors from exploiting the vulnerability, organizations should properly segment their Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) networks within their process structure, separating them from the internet and other non-essential networks.
- Implement Detection Signatures: Users are advised to implement provided IPS/IDS (e.g., Snort) signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets sent to Rockwell Automation devices. This will aid in identifying and responding to any potential threat activities.
How TXOne Networks Can Help
TXOne has prepared a rule set for EdgeIPS product series to block potential attacks. The protection rule set will be released via Out-of-Cycle (OoC) mechanism. Please update the rule packages to the following versions to get the latest protection:
- EdgeIPS Pro: TM_IPSP_230714_15
- EdgeIPS/EdgeFire: TM_230714_15
- EdgeIPS LE: TM_IPSLE_230714_15
- EdgeIPS v2.0/EdgeFire v2.0: TXv2_STD_230714_1
The protection rule list:
1233214 ICS Rockwell Automation CIP Socket Object unconnected read with unusual length
1233215 ICS Rockwell Automation CIP Socket Object unconnected UCMM read with unusual length
1233216 ICS Rockwell Automation CIP Socket Object connected read with unusual length
1233217 ICS Rockwell Automation CIP Socket Object connected UCMM read with unusual length
1233219 ICS Rockwell Automation CIP Socket Object unconnected parameter 1 contains unusual length
1233220 ICS Rockwell Automation CIP Socket Object unconnected parameter 2 contains unusual length
1233223 ICS Rockwell Automation CIP Socket Object unconnected UCMM parameter 1 contains unusual length
1233224 ICS Rockwell Automation CIP Socket Object unconnected UCMM parameter 2 contains unusual length
1233226 ICS Rockwell Automation CIP Socket Object connected parameter 1 contains unusual length
1233227 ICS Rockwell Automation CIP Socket Object connected parameter 2 contains unusual length
1233228 ICS Rockwell Automation CIP Socket Object connected UCMM parameter 1 contains unusual length
1233229 ICS Rockwell Automation CIP Socket Object connected UCMM parameter 2 contains unusual length