A high severity security bypass vulnerability has been discovered in Rockwell Automation ControlLogix 1756 devices that could be exploited to execute Common Industrial Protocol (CIP) programming and configuration commands.
This flaw has been assigned a CVE identifier CVE-2024-6242CVSS v3.1 score is 8.4.
“The affected products contain a vulnerability that could allow a threat actor to bypass the Trusted Slot functionality of ControlLogix controllers,” the US Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
“If exploited on an affected module in a 1756 chassis, a threat actor could execute CIP commands that modify user projects and/or device configurations on the Logix controllers in the chassis.”
Claroty, the operational technology security firm that discovered and reported the vulnerability, said it had developed a technique that could circumvent trusted slot functionality and send malicious commands to programming logic controller (PLC) CPUs.
Security researcher Sharon Brizinov said the trusted slots feature “enforces security policies, allowing the controller to reject communications over untrusted paths on the local chassis.”
“The vulnerability we discovered, before it was fixed, allowed an attacker to use CIP routing to move between local backplane slots in the 1756 chassis, circumventing the security perimeter that protects the CPU from untrusted cards.”
A successful exploit requires network access to the device, but even if an attacker is behind an untrusted network card, they could use this flaw to send elevated commands, such as downloading arbitrary logic to the PLC CPU.
Following responsible disclosure, this shortcoming has been fixed in the following versions:
- ControlLogix 5580 (1756-L8z) – Update to versions V32.016, V33.015, V34.014, V35.011 or newer.
- GuardLogix 5580 (1756-L8zS) – Update to version V32.016, V33.015, V34.014, V35.011 or newer.
- 1756-EN4TR – Update to version V5.001 or later.
- 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A – Update to version V12.001 or later.
“This vulnerability may expose critical control systems to unauthorized access via the CIP protocol originating from untrusted chassis slots,” Brizinov said.
