Rockwell Automation ControlLogix Communication Modules Vulnerabilities (CVE-2023-3595 and CVE-2023-3596)

Read Time:1 Minute, 45 Second

What is Rockwell Automation ControlLogix Communications Modules?

Rockwell Automation ControlLogix communications modules are devices from Rockwell Automation, a US-based automation technology company, and are used by various industry sectors including critical infrastructure to establish communication links between devices.

What is the Attack?

CVE-2023-3595 is an out-of-bounds write vulnerability that affects the vulnerable 1756 EN2* and 1756 EN3* series of Rockwell Automation ControlLogix EtherNet/IP communication modules. Successful exploitation of a vulnerable system via maliciously crafted Common Industrial Protocol (CIP) messages could allow an attacker to perform various actions such as manipulating the firmware of a module, adding new functionality to a module, flushing the module’s memory, forging traffic to and from the module, establishing persistence on the module, and potentially affecting the underlying industrial process, which could result in destructive or disruptive consequences. The vulnerability has a CVSS base score of 9.8 and is rated critical by Rockwell Automation.

CVE-2023-3596 is an out-of-bounds write vulnerability that affects the vulnerable 1756 EN4* series of Rockwell Automation ControlLogix EtherNet/IP communication modules. Successful exploitation of a vulnerable system via maliciously crafted CIP messages could result in a Denial of Service (DoS) condition. The vulnerability has a CVSS base score of 7.5 and is rated high by Rockwell Automation.

Why is this Significant?

This is significant because the Rockwell Automation advisory indicates that an unnamed threat actor reportedly owns the exploit for these vulnerabilities.
FortiGuard Labs advises owners of the vulnerable modules to update the firmware as soon as possible. CISA has also released an advisory to urge users to do the same.

What is the Vendor Solution?

Rockwell Automation has released new firmware that addresses the vulnerabilities.

For more information, please see the Appendix for a link to a Rockwell Automation advisory entitled “Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules. Note that the advisory requires a valid login.

What FortiGuard Coverage is available?

FortiGuard Labs has released a new IPS signature ” Rockwell.Automation.ControlLogix.Remote.Code.Execution ” in response to CVE-2023-3595 and CVE-2023-3596.

Friday Squid Blogging: Squid Game Season Two Teaser

Clever Social Engineering Attack Using Captchas

US Cyberspace Solarium Commission Outlines Ten New Cyber Policy Priorities

Cybersecurity Skills Gap Leaves Cloud Environments Vulnerable

Going for Gold: HSBC Approves Quantum-Safe Technology for Tokenized Bullions

This Windows PowerShell Phish Has Scary Potential

Infostealers Cause Surge in Ransomware Attacks, Just One in Three Recover Data

FBI Shuts Down Chinese Botnet

Western Agencies Warn Risk from Chinese-Controlled Botnet

Rockwell Automation ControlLogix Communication Modules Vulnerabilities (CVE-2023-3595 and CVE-2023-3596)

USN-6992-2: Firefox regressions

GLSA 202409-20: curl: Multiple Vulnerabilities

GLSA 202409-07: Rust: Multiple Vulnerabilities

GLSA 202409-06: file: Stack Buffer Overread

GLSA 202409-05: PJSIP: Heap Buffer Overflow

GLSA 202409-04: calibre: Multiple Vulnerabilities