A recent security vulnerability discovered in Rockwell Automation ControlLogix 1756 devices has raised concerns about potential cyberattacks targeting critical infrastructure. The bug, identified as CVE-2024-6242 with a CVSS score of 8.4, could be exploited by remote attackers with network access to the device, allowing them to send elevated commands to the CPU of a programmable logic controller (PLC) from an untrusted chassis card.
Claroty’s Team82, the research team that uncovered the vulnerability, demonstrated how the flaw could be leveraged to manipulate the trusted slot feature designed to enforce security policies within Rockwell devices. By bypassing this mechanism, attackers could download new logic for controlling a PLC’s behavior and send other elevated commands that could disrupt the physical operations of a manufacturing site.
Sharon Brizinov, a researcher at Claroty, explained the implications of the security bypass in a blog post detailing the bug. Despite the potential severity of the vulnerability, Rockwell Automation has acted swiftly to address the issue by releasing a fix. Users are strongly advised to apply the patch immediately to mitigate the risk of exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) has also published mitigation advice for users of Rockwell Automation devices, emphasizing the importance of implementing security measures to prevent unauthorized access to critical control systems. The exploitation of the vulnerability has been classified as a low-complexity endeavor, underscoring the urgency of applying the necessary security updates.
The affected devices, including ControlLogix, GuardLogix, and 1756 ControlLogix I/O Modules, are widely deployed in industrial manufacturing environments, highlighting the potential impact of the security vulnerability on various sectors.
The vulnerability lies in the trusted slot mechanism, a security feature that regulates communication between different slots within the 1756 chassis. By exploiting the shared circuit board known as the backplane, attackers can circumvent the authentication requirements of the trusted slot feature, enabling them to send malicious commands to the PLC’s CPU through unauthorized pathways.
To safeguard against the exploitation of the vulnerability, security administrators are advised to follow Rockwell’s patching recommendations for the affected devices. These include updating ControlLogix 5580 (1756-L8z), GuardLogix 5580 (1756-L8zS), and various I/O Modules to the specified versions and later releases to address the security flaw effectively.
In conclusion, the discovery of the security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices underscores the ongoing threats facing critical infrastructure from cyberattacks. Collaboration between researchers, vendors, and government agencies is essential to mitigate these risks and enhance the security posture of industrial control systems. By promptly applying security updates and following best practices for securing OT environments, organizations can reduce their exposure to potential cyber threats and protect the integrity of their operations.