A recently disclosed high-severity security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices poses a significant threat by allowing the execution of common industrial protocol (CIP) commands for programming and configuration.
This vulnerability, identified as CVE-2024-6242, has been assigned a CVSS v3.1 score of 8.4.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory stating, “A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted Slot feature in a ControlLogix controller.”
Operational technology security company Claroty, the discoverer of the vulnerability, developed a technique to exploit the flaw, enabling the bypass of the trusted slot feature to send malicious commands to the programming logic controller (PLC) CPU.
According to security researcher Sharon Brizinov, the trusted slot feature “enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis.”
Brizinov further explained, “The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards.”
While exploiting the vulnerability requires network access to the device, it grants attackers the ability to send elevated commands, such as downloading arbitrary logic to the PLC CPU, even from behind an untrusted network card.
After responsible disclosure, Rockwell Automation has addressed the issue in the following versions:
- ControlLogix 5580 (1756-L8z) – Update to versions V32.016, V33.015, V34.014, V35.011, and later.
- GuardLogix 5580 (1756-L8zS) – Update to versions V32.016, V33.015, V34.014, V35.011 and later.
- 1756-EN4TR – Update to versions V5.001 and later.
- 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A – Update to version V12.001 and later
Brizinov highlighted, “This vulnerability had the potential to expose critical control systems to unauthorized access over the CIP protocol that originated from untrusted chassis slots.”