CVE-2023-3595, CVE-2023-3596: Vulnerabilidades Rockwell Automation ControlLogix divulgadas
Rockwell Automation issues advisory for multiple vulnerabilities, including a critical flaw that could lead to disruption or destruction of critical infrastructure processes.
Update July 12: The Identifying Affected Systems section has been updated to include a newly released Tenable OT Security plugin as well as updates to our existing plugins for these vulnerabilities.
Contexto
On July 12, Rockwell Automation published an advisory for multiple vulnerabilities in its Allen-Bradley ControlLogix Communications Modules. ControlLogix Communications Modules are used in many industries and sectors, including energy, transportation and water, among others, to enable communication between machines, IT systems and remote chassis.
| CVE | Descrição | CVSSv3 | Gravidade |
|---|---|---|---|
| CVE-2023-3595 | Rockwell Automation Allen-Bradley ControlLogix Communication Modules Remote Code Execution vulnerability | 9.8 | Crítica |
| CVE-2023-3596 | Rockwell Automation Allen-Bradley ControlLogix Communication Modules Denial of Service vulnerability | 7.5 | Alta |
It is important to note these modules can be implemented in multiple logical (and physical) configurations. A 1756 ControlLogix Chassis can have up to 17 modules installed in a local chassis. It is common to have multiple network interfaces (physical network cards) configured to bridge and/or segment networks in industrial environments.
Análise
CVE-2023-3595 is a remote code execution (RCE) vulnerability in Rockwell Automation Allen-Bradley ControlLogix Communication Modules for its 1756 EN2* and 1756 EN3* product families. An attacker could exploit this vulnerability to gain RCE on a vulnerable module by sending specially crafted common industrial protocol (CIP) messages. This risk of exploitation is amplified if the module is not segmented from the internet. Successful exploitation could give an attacker the ability to compromise the memory of a vulnerable module, enabling the attacker to:
- Manipulate the firmware of a module
- Add new functionality into a module
- Wipe the memory of a module
- Forge traffic between a module
- Obtain persistence on a module
In addition to the compromise of the vulnerable module itself, the vulnerability could also allow an attacker to affect the industrial process along with the underlying critical infrastructure, which may result in possible disruption or destruction.
CVE-2023-3596 is a denial of service (DoS) vulnerability in Rockwell Automation Allen-Bradley ControlLogix Communication Modules for its 1756 EN4* product family. An attacker could exploit this vulnerability to cause a DoS condition on a target system by sending specially crafted CIP messages to a vulnerable device.
At the time this blog post was published, there was no evidence of active exploitation involving either vulnerability.
Solução
Rockwell Automation has released fixed firmware versions for certain versions of its ControlLogix modules:
|
ControlLogix catalog |
Series |
Affected versions |
Fixed versions |
|---|---|---|---|
|
1756-EN2T |
A,B,C |
<=5.008 & 5.028 |
5.029 for signed version (recommended) |
|
D |
11.003 and lower |
11.004 and later |
|
|
1756-EN2TP |
A |
11.003 and lower |
11.004 and later |
|
1756-EN2TR |
A,B |
<=5.008 & 5.028 |
5.029 for signed version (recommended) |
|
C |
11.003 and lower |
11.004 and later |
|
|
1756-EN2F |
A, B |
<=5.008 & 5.028 |
5.029 for signed version (recommended) |
|
C |
11.003 and lower |
11.004 and later |
|
|
1756-EN3TR |
A |
<=5.008 & 5.028 |
5.029 for signed version (recommended) |
|
B |
<=11.003 |
Update to 11.004 or later |
|
|
1756-EN4TR |
A |
<=5.001 |
Update to 5.002 and later |
Some of the best practices include proper segmentation of control networks and utilizing intrusion detection system (IDS) signatures to help identify “anomalous Common Industrial Protocol (CIP)” traffic to vulnerable devices.
Identificação de sistemas afetados
To identify affected systems, Tenable has released the following plugins available for Tenable OT Security (formerly Tenable.ot), Tenable Vulnerability Management (formerly Tenable.io), Tenable Security Center (formerly Tenable.sc) and Tenable Nessus:
| Plugin ID | Cargo | Gravidade | Family |
|---|---|---|---|
| 177893 | Rockwell Automation ControlLogix Communications Modules Multiple Vulnerabilities | Crítica | SCADA |
| 501226 | Rockwell Automation ControlLogix Communications Modules Remote Code Execution (CVE-2023-3595) | Crítica | Tenable OT Security |
| 501228 | Rockwell Automation ControlLogix Communications Modules Denial of Service (CVE-2023-3596) | Alta | Tenable OT Security |
For urgency, Tenable customers can utilize the SCADA plugin to scan for vulnerable devices using Tenable Vulnerability Management, Tenable Security Center and Tenable Nessus. However, for greater visibility regarding the impact to your networks, we strongly encourage customers to utilize our Tenable OT Security plugins. For more information on using Tenable OT Security to identify vulnerable assets, please check out the blog post Finding Rockwell Automation Allen-Bradley Communication Modules Affected By CVE-2023-3595, CVE-2023-3596 in OT Environments.
In addition to these plugins, Tenable Research recommends customers use the following IDS event rule IDs (SIDs) in Tenable OT Security to detect potentially compromised Communications Adapters:
| SID | Message |
|---|---|
| 1992000 | PROTOCOL-SCADA ENIP CIP Socket Object unconnected read with unusual length detected. |
| 1992001 | PROTOCOL-SCADA ENIP CIP Socket Object unconnected ucmm read with unusual length detected. |
| 1992002 | PROTOCOL-SCADA ENIP CIP Socket Object connected read with unusual length detected. |
| 1992003 | PROTOCOL-SCADA ENIP CIP Socket Object connected ucmm read with unusual length detected. |
| 1992004 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 1 contains unusual length. |
| 1992005 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected parameter 2 contains unusual length. |
| 1992006 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 1 contains unusual length. |
| 1992007 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object unconnected ucmm parameter 2 with unusual length. |
| 1992008 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 1 contains unusual length. |
| 1992009 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected parameter 2 with unusual length. |
| 1992010 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 1 contains unusual length. |
| 1992011 | PROTOCOL-SCADA ENIP CIP Vendor Specific Object connected ucmm parameter 2 contains unusual length. |
For more information on how to utilize these SIDs in Tenable OT Security, please refer to the following knowledge base article.
We will update this blog post when/if additional coverage becomes available.
Obtenha mais informações
- Tenable Blog: Finding Rockwell Automation Allen-Bradley Communication Modules Affected by CVE-2023-3595 and CVE-2023-3596 in OT Environments
- Rockwell Advisory for CVE-2023-3595 and CVE-2023-3596
- Tenable Knowledge Base Article for Using SIDs
Junte-se à equipe de resposta de segurança da Tenable na Tenable.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Change Log
Update July 12: The Identifying Affected Systems section has been updated to include a newly released Tenable OT Security plugin as well as updates to our existing plugins for these vulnerabilities.
Artigos relacionados
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
May 10, 2024Is the software your company wants to buy securely designed? A new guide outlines how you can find out. Meanwhile, a new NIST framework can help you assess your GenAI systems’ risks. Plus, a survey shows a big disconnect between AI usage (high) and AI governance (low). And MITRE’s breach post-mortem brims with insights and actionable tips. And much more!
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
Cybersecurity Snapshot: New Guide Explains How To Assess if Software Is Secure by Design, While NIST Publishes GenAI Risk Framework
May 10, 2024Is the software your company wants to buy securely designed? A new guide outlines how you can find out. Meanwhile, a new NIST framework can help you assess your GenAI systems’ risks. Plus, a survey shows a big disconnect between AI usage (high) and AI governance (low). And MITRE’s breach post-mortem brims with insights and actionable tips. And much more!
CVE-2024-21793, CVE-2024-26026: Proof of Concept Available for F5 BIG-IP Next Central Manager Vulnerabilities
May 9, 2024Researchers disclose multiple vulnerabilities in F5 BIG-IP Next Central Manager and provide proof-of-concept exploit code, which could lead to exposure of hashed passwords.
Cybersecurity Snapshot: Attackers Pounce on Unpatched Vulns, DBIR Says, as Critical Infrastructure Orgs Benefit from CISA’s Alert Program
May 3, 2024Verizon’s DBIR found that hackers are having a field day exploiting vulnerabilities to gain initial access. Plus, a CISA program is helping critical infrastructure organizations prevent ransomware attacks. In addition, check out what Tenable’s got planned for RSA Conference 2024. And get the latest on the Change Healthcare breach. And much more!
- Exposure Management
- Vulnerability Management
- Exposure Management