Critical Rockwell OT Bugs Fixed to Prevent Novel APT ExploitRockwell Automation: Urgent Attention Is Needed to Protect Critical Infrastructure
Rockwell Automation teamed up with federal cybersecurity experts to find two critical flaws that require immediate attention, citing a novel exploit capability attributed to advanced persistent threat actors known for targeting industrial systems and critical infrastructure.
The collaborative analysis discovered the APT exploit, which could potentially be used to control or shut down components of utility systems, manufacturers, transportation networks and pipelines.
There is a "high likelihood that these capabilities were developed with an intent to target critical infrastructure," the Rockwell Automation security advisory says.
Active exploitation using this APT capability remains unclear, but "threat activity is subject to change and customers using affected products could face serious risk if exposed," the advisory says.
The Critical RCE and DoS Bugs
CVE-2023-3595 - CVSS: 9.8
An attacker can exploit this vulnerability to gain RCE on a vulnerable module by sending specially crafted common industrial protocol messages. The risk of exploitation of this bug amplifies if the module is not segmented from the internet. Successful exploitation could give an attacker the ability to compromise the memory of a vulnerable module, enabling the attacker to modify, deny and exfiltrate data passing through the device.
Operational technology security firm Dragos compared this vulnerability to the zero-day employed by Xenotime in the Trisis/Triton attack. "Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands," Dragos said. "However, their impact is the same."
Another commonality is that both bugs have the potential to corrupt the information used for incident response and recovery. Attackers could potentially overwrite any part of the system to hide themselves and persist, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection.
"Exploitation of this type of vulnerability renders the communication module untrustworthy, and it would need to be de-commissioned and sent back to the vendor for analysis," Dragos said.
CVE-2023-3596 - CVSS: 7.5
An attacker can exploit this vulnerability to cause a denial-of-service condition on a target system by sending specially crafted CIP messages to a vulnerable device.
ControlLogix Communications Modules are used in many industries and sectors, including energy, transportation and water, manufacturing, electric, oil and gas, and liquified natural gas, to enable communication between machines, IT systems and remote chassis, said operational technology security providers Tenable and Dragos.
Both companies, as trusted ICS/OT threat intelligence partners of the U.S. Cybersecurity and Infrastructure Security Agency, worked with Rockwell Automation in advance of the disclosure of the ControlLogix vulnerabilities to coordinate and help assess the extent of the threat.
Experts at Dragos said, "The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible."
"It is important to note these [ControlLogix] modules can be implemented in multiple logical and physical configurations," Tenable said. "A 1756 ControlLogix Chassis can have up to 17 modules installed in a local chassis. It is common to have multiple network interfaces [physical network cards] configured to bridge and/or segment networks in industrial environments."
IoCs and Mitigations
Rockwell Automation advised system owners to ensure ICS/SCADA networks are baselined and regularly monitored for abnormal network activity. Those using the ControlLogix communications modules should specifically look for:
- Unknown scanning on a network for CIP-enabled devices;
- Unexpected or out-of-specification CIP packets;
- Arbitrary writes to communication module memory or firmware;
- Unexpected firmware updates and/or disabling of secure boot options;
- Uncommon firmware file names.
Rockwell Automation has listed the available signed and unsigned firmware update versions in its security advisory, but to further secure the ControlLogix communications modules from exploitation, the company recommends proper network segmentation and implementation of detection signatures. "Use appended Snort signatures to monitor and detect anomalous CIP packets to Rockwell Automation devices," the advisory says.