Security
Headlines
HeadlinesLatestCVEs

Headline

Rockwell PLC Security Bypass Threatens Manufacturing Processes

A security vulnerability in Rockwell Automation’s ControlLogix 1756 programmable logic controllers, tracked as CVE-2024-6242, could allow tampering with physical processes at plants.

DARKReading
#vulnerability#mac#auth

Source: Kay Roxby via Alamy Stock Photo

A security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices could open critical infrastructure to cyberattacks on the operational technology (OT) that controls physical processes.

According to Claroty’s Team82, the bug (CVE-2024-6242, CVSS 8.4), could allow a remote attacker with network access to the device to send elevated commands to the CPU of a programmable logic controller (PLC), from an untrusted chassis card.

“Our technique allowed us to bypass the trusted slot feature implemented by Rockwell that enforces security policies and allows the controller to deny communication via untrusted paths on the local chassis,” Claroty researcher Sharon Brizinov explained in a blog posting on the bug.

The result? Successful attackers can download new logic for controlling a PLC’s behavior, and send other elevated commands that would interfere with the physical operations of a manufacturing site.

Rockwell has issued a fix, and users are urged to apply it immediately; and the Cybersecurity and Infrastructure Security Agency has published mitigation advice, noting that exploitation is a low-complexity endeavor.

According to Rockwell, ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules, widely deployed in industrial manufacturing environments, are affected by the vulnerability.

Manipulating the Trusted Slot Mechanism

The 1756 chassis is a modular enclosure that houses various cards within physical slots that are responsible for communicating with sensors, actuators, and other OT equipment; they also provide the physical and electrical connections to allow those components to interoperate and talk to each other. All of the communication and connections are carried out via a shared circuit board known as the backplane, using the common industrial protocol, or CIP.

“A 1756 PLC in a production line might be connected to multiple sources via different network cards, for example, the human-machine interface (HMI) panel, engineering workstation, and other devices,” Brizinov explained. “To ensure that only specific individual devices are performing elevated operations on the PLC such as download logic, a security mechanism was introduced called trusted slot.”

The trusted-slot feature ensures that only authorized slots can communicate with each other, protecting against potential tampering. It does this by requiring slots to essentially authenticate to the PLC.

However, Claroty found a way around that.

“Since all slots are connected via the backplane, and CIP supports path (routing), we could generate a CIP packet that will be routed through a trusted card before it reaches the CPU,” according to the blog post. “Basically, the method involved ‘jumping’ between local backplane slots…This technique allowed us to traverse the security boundary that was meant to protect the CPU from untrusted cards.”

To prevent the exposure of critical control systems to unauthorized access over the CIP protocol, site security administrators should apply Rockwell’s patches immediately:

  • ControlLogix 5580 (1756-L8z): Update to versions V32.016, V33.015, V34.014, V35.011, and later.

  • GuardLogix 5580 (1756-L8zS): Update to versions V32.016, V33.015, V34.014, V35.011 and later.

  • 1756-EN4TR: Update to versions V5.001 and later.

  • 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A: Update to version V12.001 and later

About the Author

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Related news

Critical Flaw in Rockwell Automation Devices Allows Unauthorized Access

A high-severity security bypass vulnerability has been disclosed in Rockwell Automation ControlLogix 1756 devices that could be exploited to execute common industrial protocol (CIP) programming and configuration commands. The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 score of 8.4. "A vulnerability exists in the affected products that allows a threat actor to

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel