A severe vulnerability has been identified in Rockwell Automation’s ControlLogix 1756 devices, tracked as CVE-2024-6242. This critical flaw, which has been assigned a CVSS v3.1 score of 8.4, allows attackers to bypass the Trusted Slot feature in ControlLogix controllers. The vulnerability could enable unauthorized users to execute common industrial protocol (CIP) commands and potentially modify user projects or device configurations. This exposes the system to significant risks, including unauthorized access and manipulation of control logic.
Discovered by operational technology security firm Claroty, the vulnerability impacts the ability of the Trusted Slot feature to enforce security policies, which are designed to block communication from untrusted paths within the local chassis. Security researcher Sharon Brizinov noted that the flaw allows attackers to navigate between local backplane slots in a 1756 chassis using CIP routing. This bypasses the security boundary intended to protect the PLC CPU from untrusted network cards, giving attackers the capability to send elevated commands to the device.
Successful exploitation of this flaw requires network access to the affected device, but it could lead to serious consequences, including unauthorized downloading of logic to the PLC CPU. This underscores the importance of addressing such vulnerabilities promptly to safeguard critical industrial control systems from potential threats.
In response to the disclosure, Rockwell Automation has released several updates to address the issue. Users are advised to upgrade to ControlLogix 5580 (1756-L8z) or GuardLogix 5580 (1756-L8zS) versions V32.016, V33.015, V34.014, V35.011, or later; 1756-EN4TR to version V5.001 or later; and 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A to version V12.001 or later. Implementing these updates is crucial to mitigate the risk and protect systems from unauthorized access and potential disruption.
Reference:
