Vulnerability Analysis and Mitigation Strategies for Rockwell Automation

Vulnerability Overview for Rockwell Automation

The vulnerability overview for Rockwell Automation ControlLogix & GuardLogix involves improper input validation, specifically a malformed fragmented packet type, which can result in a major nonrecoverable fault (MNRF), rendering the affected product unavailable and necessitating a manual restart.

This vulnerability (CVE-2024-3493) has a CVSS v3.1 base score of 8.6 & a CVSS v4 score of 9.2.

Mitigation Techniques

To address this vulnerability, Rockwell Automation has issued product upgrades that users should implement:

• ControlLogix 5580: Update to version V35.013 or V36.011
• GuardLogix 5580: Update to version V35.013 or V36.011
• CompactLogix 5380: Update to version V35.013 or V36.011
• 1756-EN4TR: Update to version V6.001

Furthermore, to reduce the risk of exploitation, users should take defensive measures such as limiting network exposure, utilizing firewalls to isolate control system networks, using secure remote access methods such as Virtual Private Networks (VPNs), as well as ensuring VPNs are up to date.

Organizations are also encouraged to conduct impact assessments, implement recommended cybersecurity procedures, and contact CISA for more information & reporting of any suspicious activity.

Reference

Security Advisories | Rockwell Automation

You can also follow us on AutomationForum.co, Facebook and Linkedin to receive daily Instrumentation updates.

You can also follow us on ForumElectrical.com, Facebook and Linkedin to receive daily Electrical updates.

Rockwell Automation has issued a security advisory encouraging users to verify that their industrial control systems (ICS) are not connected to the internet & hence vulnerable to cyber threats.

The industrial automation behemoth has advised customers to take ‘urgent’ action and ensure that no gadgets not particularly designated for public connectivity are exposed to the internet.

A search for ‘Rockwell’ yields over 7,000 hits, including many of what look to be Allen-Bradley programmable logic controllers (PLC).

The corporation is concerned about potential assaults “due to heightened geopolitical tensions & adversarial cyber activity globally”.

“Consistent with Rockwell Automation’s guidance for all devices not specifically designed for public internet connectivity (Ex: cloud & edge offerings), users should not ever configure their assets to be directly connected to the public-facing internet,” stated Rockwell. “Removing that connectivity as a proactive step reduces attack surface & can immediately reduce exposure to unlicensed & malicious cyber activity from external threat actors.”

The company’s advisory page provides connections to a variety of useful information, including guidance & best practices.

Rockwell’s advisory lists various vulnerabilities discovered and addressed in recent years, notably CVE-2021-22681, CVE-2022-1159, CVE-2023-3595 & CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, & CVE-2024-21917.

These weaknesses enable hackers to launch DoS attacks, elevate privileges, modify settings, remotely compromise PLCs, & potentially carry out Stuxnet-style attacks.

The identification of exploits for CVE-2023-3595 and CVE-2023-3596 implies that threat actors, notably APT organizations, have targeted Rockwell industrial equipment and attempted to exploit their vulnerabilities. There have been no confirmed reports of the actual attacks.

The US cybersecurity agency CISA has also issued an alert to draw attention to Rockwell’s notice.

Tabulation

Customers must be aware of the following linked CVEs and mitigate when possible: