Rockwell Automation has released patches for a critical remote code execution vulnerability that affects many versions of its communications modules, and is warning customers that an exploit for the bug exists, although no exploitation has been observed yet.
The vulnerability (CVE-2023-3595) is an out-of-bounds write in Rockwell’s ControlLogix 1756-EN2* and EN3* series of communications modules, which provide Ethernet IP connectivity in OT environments. Rockwell discovered the vulnerability internally, and reported it to the Cybersecurity and Infrastructure Security Agency, which published an advisory on Wednesday. There is a separate bug (CVE-2023-3596) identifier for the vulnerability in the 1756-EN4* series of products, since exploitation results in a denial of service rather than RCE. Rockwell said that it had discovered and analyzed an exploit for the bug, which it attributed to an unnamed APT actor.
“We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers,” the Rockwell advisory says.
“Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.”
“Knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense."
The affected modules are used in critical manufacturing settings, and Rockwell has released firmware updates for all of the modules. The Shadowserver Foundation, which tracks exploit activity and vulnerabilities, identified about 107 vulnerable modules exposed to the Internet on Thursday. One of the interesting aspects of this vulnerability is that researchers were able to identify the exploit and discover that an APT actor had also discovered the bug, before the actor actually used the exploit.
“Knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense for critical industrial sectors. The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack. Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same,” researchers at iCS security firm Dragos said.
“Additionally, in both cases, there exists the potential to corrupt the information used for incident response and recovery. The attacker could potentially overwrite any part of the system to hide themselves and stay persistent, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection.”
Organizations running affected Rockwell ControlLogix modules should install the updated firmware as soon as possible.