Two vulnerabilities in industrial programmable logic controllers (PLCs) from Rockwell Automation threaten critical infrastructure and industrial environments with disruption.
Both of these vulnerabilities are located in the communication modules of the PLCs that are used to physically control operational technology equipment, and are capable of being triggered through malicious common industrial protocol (CIP) messages.
The first is a critical bug, CVE-2023-3595 (CVSS score of 9.8 out of 10), that allows for threat actors to utilize firmware memory, carry out remote code execution (RCE) with persistence, and modify, deny, or even withdraw data that flows through the PLC, thus affecting equipment performance. The second, CVE-2023-3596 (CVSS 7.5), can be used to trigger a denial-of-service (DoS) condition that would render the device inoperable.
It’s also possible for cyberattackers to plant themselves inside a PLC and lurk undetected until they choose to carry out an attack. “In both cases, there exists the potential to corrupt the information used for incident response and recovery,” said experts at Dragos. “The attacker could potentially overwrite any part of the system to hide themselves and stay persistent, or the interfaces used to collect incident response or forensics information could be intercepted by malware to avoid detection.”
The now-vulnerable communications modules are used by various organizations in different industries, including energy and transportation — and organizations should apply patches as soon as possible. Rockwell has provided patches for all products that have been affected, even hardware that has been out of support.
Users can find a list of the products that have been affected in CISA and Rockwell Automation advisories, along with advice for mitigation and detection.