A high-severity security bypass vulnerability has been disclosed in Rockwell Automation ControlLogix 1756 devices that could be exploited to execute common industrial protocol (CIP) programming and configuration commands.
The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 score of 8.4.
“A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted Slot feature in a ControlLogix controller,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
“If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.”
Operational technology security company Claroty, which discovered and reported the vulnerability, said it developed a technique that made it possible to bypass the trusted slot feature and send malicious commands to the programming logic controller (PLC) CPU.
The trusted slot feature “enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis,” security researcher Sharon Brizinov said.
“The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards.”
While a successful exploit requires network access to the device, an attacker could take advantage of the flaw to send elevated commands, including downloading arbitrary logic to the PLC CPU, even if the attacker is located behind an untrusted network card.
Following responsible disclosure, the shortcoming has been addressed in the following versions –
- ControlLogix 5580 (1756-L8z) – Update to versions V32.016, V33.015, V34.014, V35.011, and later.
- GuardLogix 5580 (1756-L8zS) – Update to versions V32.016, V33.015, V34.014, V35.011 and later.
- 1756-EN4TR – Update to versions V5.001 and later.
- 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A – Update to version V12.001 and later
“This vulnerability had the potential to expose critical control systems to unauthorized access over the CIP protocol that originated from untrusted chassis slots,” Brizinov said.