Governance & Risk Management , Operational Technology (OT) , Vulnerability Assessment & Penetration Testing (VA/PT)
Rockwell Controller Flaw Exposes Industrial Control Systems
Claroty Says Attackers Could Use Security Flaw to Bypass Trusted Slot FeatureA vulnerability in Rockwell Automation's ControlLogix 1756 devices allows attackers to bypass a critical security feature, turning the trusted slot mechanism into a hacker's secret passageway to jump between slots and gain access to industrial control systems.
See Also: The Global State of Industrial Cybersecurity 2021: Resilience amid Disruption
Security researchers at operational technology security firm Claroty's Team82 uncovered the Rockwell Automation device flaw that allows attackers to exploit the mechanism that enforces security policies within the local chassis.
Rockwell Automation's ControlLogix 1756 is a series of programmable automation controllers widely used in industrial settings for high-performance, scalable automation applications. These controllers communicate over the Common Industrial Protocol, a standardized protocol for data exchange among devices in industrial networks. Once a controller is compromised, attackers could using CIP routing to move between local backplane slots, Claroty said.
The 1756 chassis includes slots that house various I/O modules, controllers and communication processors - all interconnected via a backplane, which facilitates communication and data exchange.
Researchers found vulnerability tracked as CVE-2024-6242, within the trusted slot feature of the ControlLogix 1756 devices. This feature is intended to deny communication from untrusted paths on the local chassis, ensuring only authorized slots can interact with the controller.
Researchers revealed a method to bypass this security mechanism by leveraging CIP routing, which defines the communication route through the backplane by specifying slot numbers in the path.
Researchers demonstrated that an attacker with network access to the device could exploit this vulnerability to jump between local backplane slots within the 1756 chassis, effectively traversing the security boundary intended to protect the CPU from untrusted cards.
By crafting a CIP packet that routes through a trusted slot before reaching the CPU, the attacker could bypass the trusted slot protection and send elevated commands, such as downloading logic to the PLC CPU.
This exploit stems from a limitation in the CIP protocol, where the CPU only checks the last slot in the routing path rather than the entire slot chain. Consequently, attackers could disguise their communication as originating from a trusted slot, even if they were behind an untrusted network card. This allows attackers to issue commands typically reserved for authorized devices, potentially compromising the integrity and security of the industrial control system.
Rockwell Automation acknowledged the severity of this vulnerability and issued a fix for CVE-2024-6242, assigning it a CVSSv3 score of 8.4, indicating a high level of risk.
Users of ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules are strongly urged to apply this fix immediately to mitigate the risk associated with this security flaw. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency published an advisory with further mitigation advice.
Researchers said ControlLogix 1756 devices are integral to many industrial automation systems, providing critical control and communication functions across various applications.
The flaw in the trusted slot feature could enable unauthorized commands to the PLC CPU, bypassing intended security measures.
Organizations using these devices should apply the necessary updates and remain vigilant to safeguard industrial automation systems from potential threats.