A security flaw in Rockwell Automation’s Logix controllers has been highlighted. This security bypass vulnerability, identified as CVE-2024-6242, affects various models within the Logix family of programmable logic controllers (PLCs) and presents a notable risk to industrial automation systems worldwide.
Specifically, it exploits a weakness in the Trusted Slot feature of the ControlLogix 1756 chassis, integral to many industrial control systems.
Decoding the Rockwell Automation Security Bypass Vulnerability
The Rockwell Automation Logix controller is designed to prevent untrusted communication channels from interacting with the PLC’s central processing unit (CPU). However, the flaw allows an attacker to circumvent this safeguard, potentially enabling unauthorized modifications to user projects and device configurations.
Claroty’s detailed analysis, published on August 1, 2024, highlights the potential for an attacker with access to an affected 1756 chassis to exploit this vulnerability. The flaw allows attackers to send commands that can change settings or add unauthorized programs to the PLC CPU, bypassing the Trusted Slot security.
The security bypass vulnerability affects various Rockwell Automation products, including the ControlLogix® 5580 (1756-L8z) and GuardLogix 5580 (1756-L8zS) with firmware versions up to V28 and V31, respectively. These issues are resolved in firmware versions V32.016, V33.015, V34.014, and V35.011 or later. The 1756-EN4TR with version V2 is also affected but fixed in V5.001 and later.
Series A/B/C models of 1756-EN2T, 1756-EN2F, 1756-EN2TR, and 1756-EN3TR lack fixes and are advised to upgrade to Series D or C. For those unable to upgrade, Rockwell Automation suggests mitigating the risk by limiting CIP commands through the RUN mode switch set to prevent potential exploitation of the security bypass vulnerability.
Technical Details and Risk Evaluation
As outlined in the CVE-2024-6242 advisory by CISA, this flaw enables an attacker to exploit the CIP protocol to jump between local backplane slots within the chassis. This results in bypassing the intended security boundary and allows communication with the CPU from an untrusted network card.
CVE-2024-6242 has been rated with a CVSS v3.1 Base Score of 8.4/10 and a CVSS v4.0 Base Score of 7.3/10. The vulnerability is categorized under CWE-420: Unprotected Alternate Channel. The CVSS v3.1 vector includes metrics for access vector, attack complexity, privilege required, and others, while the CVSS v4.0 vector includes additional metrics for attack type, version complexity, and security impact.
Rockwell Automation’s ControlLogix 1756 series, a robust platform for high-performance industrial automation, uses the CIP protocol for communication. This protocol facilitates data exchange between devices like sensors, actuators, and controllers within a network. The 1756 chassis serves as a modular enclosure housing various I/O modules and communication processors, crucial for device interoperability.
Mitigation Strategies
To address CVE-2024-6242, Rockwell Automation recommends updating affected products to the latest firmware versions. Users with devices that cannot be upgraded should apply the following mitigation strategies:
To mitigate the risk of exploitation from the recent security bypass vulnerability in Rockwell Automation’s Logix controllers, it is recommended to limit CIP commands by setting the mode switch to the RUN position and minimize network exposure by ensuring control systems are not accessible from the internet.
Employing firewalls to isolate control system networks from business networks and using updated Virtual Private Networks (VPNs) for secure remote access is also advised. The Cybersecurity and Infrastructure Security Agency (CISA) stresses the importance of conducting thorough impact analysis and risk assessment before implementing any defensive measures.
For future threat detection, a new Snort rule has been introduced to identify suspicious CIP routing behaviors that could indicate attempts to exploit vulnerabilities similar to CVE-2024-6242. This rule will monitor for abnormal CIP Forward Open Requests involving local chassis redirections, enhancing the capability to detect and respond to potential threats.
Overall, the discovery of this vulnerability highlights the critical need for organizations to maintain up-to-date firmware and robust security practices. Affected users should apply patches or mitigations promptly and remain vigilant in following cybersecurity best practices to protect against evolving threats in industrial control systems.