Rockwell Automation ControlLogix Communication Modules Vulnerabilities (CVE-2023-3595 and CVE-2023-3596)

Fortiguard Security Advisory

What is Rockwell Automation ControlLogix Communications Modules?

Rockwell Automation ControlLogix communications modules are devices from Rockwell Automation, a US-based automation technology company, and are used by various industry sectors including critical infrastructure to establish communication links between devices.

What is the Attack?

CVE-2023-3595 is an out-of-bounds write vulnerability that affects the vulnerable 1756 EN2* and 1756 EN3* series of Rockwell Automation ControlLogix EtherNet/IP communication modules. Successful exploitation of a vulnerable system via maliciously crafted Common Industrial Protocol (CIP) messages could allow an attacker to perform various actions such as manipulating the firmware of a module, adding new functionality to a module, flushing the module’s memory, forging traffic to and from the module, establishing persistence on the module, and potentially affecting the underlying industrial process, which could result in destructive or disruptive consequences. The vulnerability has a CVSS base score of 9.8 and is rated critical by Rockwell Automation.

CVE-2023-3596 is an out-of-bounds write vulnerability that affects the vulnerable 1756 EN4* series of Rockwell Automation ControlLogix EtherNet/IP communication modules. Successful exploitation of a vulnerable system via maliciously crafted CIP messages could result in a Denial of Service (DoS) condition. The vulnerability has a CVSS base score of 7.5 and is rated high by Rockwell Automation.

Why is this Significant?

This is significant because the Rockwell Automation advisory indicates that an unnamed threat actor reportedly owns the exploit for these vulnerabilities.
FortiGuard Labs advises owners of the vulnerable modules to update the firmware as soon as possible. CISA has also released an advisory to urge users to do the same.

What is the Vendor Solution?

Rockwell Automation has released new firmware that addresses the vulnerabilities.

For more information, please see the Appendix for a link to a Rockwell Automation advisory entitled “Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules. Note that the advisory requires a valid login.

What FortiGuard Coverage is available?

FortiGuard Labs has released a new IPS signature ” Rockwell.Automation.ControlLogix.Remote.Code.Execution ” in response to CVE-2023-3595 and CVE-2023-3596.

READ MORE