A recent security flaw in Rockwell Automation’s Logix controllers has caught the attention of cybersecurity experts, posing a significant risk to industrial automation systems globally. This vulnerability, denoted as CVE-2024-6242, specifically targets the Trusted Slot feature of the ControlLogix 1756 chassis, a critical component in many industrial control setups.
The Rockwell Automation Logix controller is designed to restrict unauthorized communication channels from accessing the PLC’s central processing unit. However, the CVE-2024-6242 flaw allows malicious actors to bypass this protection, potentially leading to unauthorized modifications to project settings and device configurations.
In a detailed analysis published by Claroty on August 1, 2024, the exploitability of this vulnerability was underscored. Attackers with access to affected 1756 chassis can send commands that manipulate settings or introduce unauthorized programs to the PLC CPU, circumventing the Trusted Slot security measure.
Various Rockwell Automation products, including the ControlLogix® 5580 and GuardLogix 5580, are affected by this security bypass vulnerability when using firmware versions up to V28 and V31, respectively. To address these issues, firmware updates to versions V32.016, V33.015, V34.014, and V35.011 or later are recommended. Additionally, the vulnerability in the 1756-EN4TR with version V2 has been rectified in V5.001 and subsequent releases.
For models such as 1756-EN2T, 1756-EN2F, 1756-EN2TR, and 1756-EN3TR that lack fixes, users are advised to upgrade to Series D or C. Alternatively, if upgrading is not feasible, implementing mitigation measures like limiting CIP commands through the RUN mode switch can reduce the risk of exploitation via the security bypass vulnerability.
The vulnerability outlined in CVE-2024-6242 allows attackers to leverage the CIP protocol to move between local backplane slots within the chassis, breaching the intended security boundaries and initiating communication with the CPU from an untrusted network card. With a CVSS v3.1 Base Score of 8.4/10 and a CVSS v4.0 Base Score of 7.3/10, this flaw falls under CWE-420: Unprotected Alternate Channel, posing a notable security risk to industrial systems.
Rockwell Automation’s ControlLogix 1756 series relies on the CIP protocol for data exchange among networked devices, emphasizing the importance of firmware updates to curb vulnerabilities like CVE-2024-6242. Mitigation strategies recommended by Rockwell Automation include updating affected products to the latest firmware versions and limiting CIP commands by adjusting the mode switch to the RUN position.
To enhance security posture, employing firewalls to isolate control system networks, leveraging updated Virtual Private Networks (VPNs) for secure remote access, and conducting impact analysis and risk assessments are essential. A new Snort rule has also been introduced to detect anomalous CIP routing behaviors associated with CVE-2024-6242, bolstering threat detection capabilities for industrial control systems.
In conclusion, the identification of this vulnerability underscores the critical necessity for organizations to prioritize firmware updates and implement robust security measures to safeguard against evolving threats. Timely application of patches or mitigations, coupled with adherence to cybersecurity best practices, is imperative to mitigate risks and protect industrial automation systems from potential cyber threats.