CVE-2023-3595:

Critical remote code execution vulnerability in Rockwell Automation 1756 EN2* and EN3* ControlLogix communication modules that can persistently compromise the target via crafted CIP messages, enabling data modification, denial, and exfiltration.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.8Critical

Published Date:Jul 12, 2023
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:31.6
EPSS Percentile:97%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

The Rockwell Automation vulnerability allows a remote attacker to execute code on affected EN2* and EN3* ControlLogix communication modules by sending crafted CIP messages, potentially leading to persistence and broad data compromise across the device and connected systems.

Remediation

Update firmware: Apply the mitigated firmware provided by Rockwell for EN2* and EN3* ControlLogix communication modules.
Network segmentation: Ensure ICS/SCADA networks are properly segmented from the Internet and from non-essential networks to limit exposure.
Deploy detection: Implement detection signatures to monitor for anomalous CIP traffic to Rockwell devices (e.g., appended Snort signatures) and establish baseline CIP communications.
Access controls: Restrict network access to the affected modules to authorized systems only (e.g., via firewalls, VPNs, and ACLs) and monitor for unusual login or configuration changes.
Verification and monitoring: Inventory affected devices, verify firmware updates, and maintain ongoing monitoring for indicators of compromise related to CIP traffic.