An advanced persistent threat (APT) group has identified vulnerabilities in Rockwell Automation products that could potentially cause disruption or destruction in critical infrastructure organizations.
The vulnerabilities, CVE-2023-3595 and CVE-2023-3596, impact ControlLogix EtherNet/IP communication modules and can be exploited for remote code execution and denial-of-service attacks. Rockwell Automation has released firmware patches and shared indicators of compromise to address the vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an advisory to raise awareness about the risks. While no exploitation has been detected so far, the potential impact on critical infrastructure remains a significant concern.
The vulnerabilities in question, CVE-2023-3595 and CVE-2023-3596, affect specific Rockwell Automation products, including the 1756 EN2, 1756 EN3, and 1756-EN4. The critical flaw, CVE-2023-3595, enables an attacker to achieve remote code execution by exploiting Common Industrial Protocol (CIP) messages.
On the other hand, CVE-2023-3596 is a high-severity denial-of-service (DoS) bug that can be triggered using specially crafted CIP messages. These vulnerabilities could allow threat actors to manipulate, block, or exfiltrate data passing through affected devices.
Rockwell Automation has taken steps to address the vulnerabilities by releasing firmware patches for the impacted products and sharing potential indicators of compromise and detection rules. The company acknowledges the potential risk to critical infrastructure and emphasizes the importance of addressing these vulnerabilities promptly. The US Cybersecurity and Infrastructure Security Agency (CISA) has collaborated with Rockwell in investigating the exploits and has also issued an advisory to inform organizations about the vulnerabilities and the associated risks.
Industrial cybersecurity firm Dragos has conducted an analysis of the vulnerabilities and the exploit capability, suggesting that the APT group responsible for these vulnerabilities aims to target critical infrastructure. While no evidence of exploitation in the wild has been found, Dragos compares the impact of one of the vulnerabilities, CVE-2023-3595, to the zero-day flaw exploited by a Russia-linked state-sponsored group in Trisis/Triton malware attacks.
The company emphasizes the significance of identifying and addressing APT-owned vulnerabilities before they can be exploited, providing a rare opportunity for proactive defense in critical industrial sectors.