Rockwell Automation ControlLogix Communication Modules Vulnerabilities (CVE-2023-3595 and CVE-2023-3596)

Read Time:1 Minute, 45 Second

What is Rockwell Automation ControlLogix Communications Modules?

Rockwell Automation ControlLogix communications modules are devices from Rockwell Automation, a US-based automation technology company, and are used by various industry sectors including critical infrastructure to establish communication links between devices.

What is the Attack?

CVE-2023-3595 is an out-of-bounds write vulnerability that affects the vulnerable 1756 EN2* and 1756 EN3* series of Rockwell Automation ControlLogix EtherNet/IP communication modules. Successful exploitation of a vulnerable system via maliciously crafted Common Industrial Protocol (CIP) messages could allow an attacker to perform various actions such as manipulating the firmware of a module, adding new functionality to a module, flushing the module’s memory, forging traffic to and from the module, establishing persistence on the module, and potentially affecting the underlying industrial process, which could result in destructive or disruptive consequences. The vulnerability has a CVSS base score of 9.8 and is rated critical by Rockwell Automation.

CVE-2023-3596 is an out-of-bounds write vulnerability that affects the vulnerable 1756 EN4* series of Rockwell Automation ControlLogix EtherNet/IP communication modules. Successful exploitation of a vulnerable system via maliciously crafted CIP messages could result in a Denial of Service (DoS) condition. The vulnerability has a CVSS base score of 7.5 and is rated high by Rockwell Automation.

Why is this Significant?

This is significant because the Rockwell Automation advisory indicates that an unnamed threat actor reportedly owns the exploit for these vulnerabilities.
FortiGuard Labs advises owners of the vulnerable modules to update the firmware as soon as possible. CISA has also released an advisory to urge users to do the same.

What is the Vendor Solution?

Rockwell Automation has released new firmware that addresses the vulnerabilities.

For more information, please see the Appendix for a link to a Rockwell Automation advisory entitled “Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules. Note that the advisory requires a valid login.

What FortiGuard Coverage is available?

FortiGuard Labs has released a new IPS signature ” Rockwell.Automation.ControlLogix.Remote.Code.Execution ” in response to CVE-2023-3595 and CVE-2023-3596.

Friday Squid Blogging: Cotton-and-Squid-Bone Sponge

Apps That Are Spying on Your Location

Cybercriminals Use Fake CrowdStrike Job Offers to Distribute Cryptominer

Slovakia Hit by Historic Cyber-Attack on Land Registry

Canadian man loses a cryptocurrency fortune to scammers – here’s how you can stop it happening to you

Medusind Breach Exposes Sensitive Patient Data

Fake PoC Exploit Targets Security Researchers with Infostealer

Smashing Security podcast #399: Honey in hot water, and reset your devices

Space Bears ransomware: what you need to know

Rockwell Automation ControlLogix Communication Modules Vulnerabilities (CVE-2023-3595 and CVE-2023-3596)

stb-0-0.50.20241002git31707d1.el8

DSA-5842-1 openafs – security update

USN-7169-5: Linux kernel (Real-time) vulnerabilities

stb-0^20241002git31707d1-4.el9

stb-0^20241002git31707d1-5.el10_0

stb-0^20241002git31707d1-4.fc40