The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified two security flaws affecting Rockwell Automation’s ControlLogix EtherNet/IP (ENIP) communication module models, including remote code execution and denial of service (DoS). ) could be exploited to achieve
“The consequences and impact of exploiting these vulnerabilities will vary depending on the ControlLogix system configuration, but may include denial or loss of control, denial or loss of visibility, theft of operational data, or destructive or destruction on the system through manipulation of controls. The industrial process that the ControlLogix system is responsible for,” says Draogos.
Here is the list of flaws:
- CVE-2023-3595 (CVSS Score: 9.8) – An out-of-bounds write flaw affecting 1756 EN2* and 1756 EN3* products allows persistent arbitrary code may be executed.
- CVE-2023-3596 (CVSS score: 7.5) – 1756 EN4* Out-of-bounds write flaw affecting products. Can cause a DoS condition through a maliciously crafted CIP message.
“Successfully exploiting these vulnerabilities could allow a malicious attacker to remotely access the module’s execution memory and perform malicious activity,” CISA said.
Worse, the flaw could be exploited to overwrite any part of the system, rendering the module unreliable and perpetually unaware of radar.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Affected devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK , which includes 17. 56-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. A patch is available from Rockwell Automation to address this issue.
“The type of access provided by CVE-2023-3595 is similar to the zero-day used by XENOTIME in the TRISIS attack,” said the industrial cybersecurity firm. “Both allow arbitrary firmware memory manipulation, but CVE-2023-3595 targets communication modules responsible for processing network commands. However, the impact is the same.”
TRISIS, also known as TRITON, is an industrial control system (ICS) malware previously observed targeting Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers used in oil and gas facilities. . A petrochemical plant in Saudi Arabia was discovered as a victim in late 2017, according to Dragos and Mandiant.
Dragos has discovered “undisclosed exploit functionality exploiting these vulnerabilities” associated with a specific nation-state group, and as of mid-July 2023 “has no evidence of actual There is no victim organization or industry that has become a victim,” he warned. was not known. ”
“In addition to compromising the vulnerable module itself, this vulnerability could allow an attacker to impact industrial processes along with the underlying critical infrastructure, resulting in possible disruption and disruption. said Tenable researcher Satnam Narang of CVE-2023. -3595.
