Unnamed APT eyes vulnerabilities in Rockwell Automation industrial contollers (CVE-2023-3595 CVE-2023-3596)

Rockwell Automation has fixed two vulnerabilities (CVE-2023-3595, CVE-2023-3596) in the communication modules of its ControlLogix industrial programmable logic controllers (PLCs), ahead of expected (and likely) in-the-wild exploitation.

“An unreleased exploit capability leveraging these vulnerabilities is associated with an unnamed APT (Advanced Persistent Threat) group,” industrial cybersecurity company Dragos has stated on Wednesday.

About the vulnerabilities (CVE-2023-3595, CVE-2023-3596)

CVE-2023-3595 allows attackers to manipulate firmware memory, perform remote code execution with persistence, and modify, deny, and exfiltrate data passing through the device. It affects the 1756 EN2* and 1756 EN3* series of ControlLogix modules.

CVE-2023-3596 could be used to trigger a denial-of-service condition, and affects the 1756-EN4* series of ControlLogix modules.

Both vulnerabilities can be triggered via maliciously crafted CIP (Common Industrial Protocol) messages.

“The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible,” Dragos experts pointed out.

Fix, mitigate, detect

The vulnerable communications modules are used by organizations in a variety of sectors, including manufacturing, energy, and transportation.

A complete list of affected products can be found in advisories published by the Cybersecurity and Infrastructre Agency (CISA) and Rockwell Automation (the latter can only be accessed with a valid account).

Both advisories also contain mitigation and detection advice, but the first action administrators should do is to upgrade the devices’ firmware to one with a fix. “Rockwell Automation has provided patches for all affected products, including hardware series that were out of support,” Dragos experts pointed out.

They also advise restricting access to ports TCP/44818 and UDP/2222 on affected devices and segmenting these modules away from the internet and other unnecessary networks.

CIP Socket Object should be disabled, if possible, they say, and organizations should monitor for:

• Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules
• Unknown scanning on a network for CIP-enabled devices
• Unscheduled firmware updates or logic downloads
• Unexpected disabling of secure boot options
• Arbitrary writes to communication module memory or firmware
• Uncommon firmware file names

“Knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense for critical industrial sectors. The type of access provided by CVE-2023-3595 is similar to the zero-day employed by XENOTIME in the TRISIS attack. Both allow for arbitrary firmware memory manipulation, though CVE-2023-3595 targets a communication module responsible for handling network commands. However, their impact is the same,” they added.

“Additionally, in both cases, there exists the potential to corrupt the information used for incident response and recovery. The attacker could potentially overwrite any part of the system to hide themselves and stay persistent, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection. Exploitation of this type of vulnerability renders the communication module untrustworthy, and it would need to be de-commissioned and sent back to the vendor for analysis.”