Rockwell Automation Select Communication Modules

1. EXECUTIVE SUMMARY

• CVSS v3 9.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT
• Vulnerabilities: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected: 

• 1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
• 1756-EN2T Series D: Versions 11.003 and prior
• 1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
• 1756-EN2TK Series D: Versions 11.003 and prior
• 1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
• 1756-EN2TXT Series D: Versions 11.003 and prior
• 1756-EN2TP Series A: Versions 11.003 and prior
• 1756-EN2TPK Series A: Versions 11.003 and prior
• 1756-EN2TPXT Series A: Versions 11.003 and prior
• 1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
• 1756-EN2TR Series C: Versions 11.003 and prior
• 1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
• 1756-EN2TRK Series C: Versions 11.003 and prior
• 1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
• 1756-EN2TRXT Series C: Versions 11.003 and prior
• 1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
• 1756-EN2F Series C: Versions 11.003 and prior
• 1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
• 1756-EN2FK Series C: Versions 11.003 and prior
• 1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
• 1756-EN3TR Series B: Versions 11.003 and prior
• 1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
• 1756-EN3TRK Series B: Versions 11.003 and prior
• 1756-EN4TR Series A: Versions 5.001 and prior
• 1756-EN4TRK Series A: Versions 5.001 and prior
• 1756-EN4TRXT Series A: Versions 5.001 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787 

Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVE-2023-3595 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial-of-service condition by asserting the target system through maliciously crafted CIP messages.

CVE-2023-3596 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing

• COUNTRIES/AREAS DEPLOYED: Worldwide

• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation has released the following versions to fix these vulnerabilities and can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the security best practices to employ multiple strategies simultaneously.

• 1756-EN2T Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2T Series D: Update to 11.004 or later
• 1756-EN2TK Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2TK Series D: Update to 11.004 or later
• 1756-EN2TXT Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2TXT Series D: Update to 11.004 or later
• 1756-EN2TP Series A: Update to 11.004 or later
• 1756-EN2TPK Series A: Update to 11.004 or later
• 1756-EN2TPXT Series A: Update to 11.004 or later
• 1756-EN2TR Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2TR Series C: Update to 11.004 or later
• 1756-EN2TRK Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2TRK Series C: Update to 11.004 or later
• 1756-EN2TRXT Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2TRXT Series C: Update to 11.004 or later
• 1756-EN2F Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2F Series C: Update to 11.004 or later
• 1756-EN2FK Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN2FK Series C: Update to 11.004 or later
• 1756-EN3TR Series A: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN3TR Series B: Update to 11.004 or later
• 1756-EN3TRK Series A: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
• 1756-EN3TRK Series B: Update to 11.004 or later
• 1756-EN4TR Series A: Update to 5.002 or later
• 1756-EN4TRK Series A: Update to 5.002 or later
• 1756-EN4TRXT Series A: Update to 5.002 or later

** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.0029), it is not possible to revert to unsigned firmware versions.

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation:

• Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002. 

• Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.

• Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.

For more information and to see Rockwell’s detection rules, see Rockwell Automation’s Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.