CVE-2023-3595:Critical remote code execution vulnerability in Rockwell Automation 1756 EN2* and EN3* ControlLogix communication modules that can persistently compromise the target via crafted CIP messages, enabling data modification, denial, and exfiltration.

splash
Back

Description Preview

This vulnerability affects Rockwell Automation 1756 EN2* and 1756 EN3* ControlLogix communication products. A malicious actor could achieve remote code execution with persistence on the affected device by sending specially crafted CIP messages, potentially modifying, denying, or exfiltrating data passing through the device. The issue is associated with CWE-787 Out-of-bounds Write and CAPEC-100 Overflow Buffers, and has a critical CVSS score of 9.8 (NETWORK, HIGH impact, no user interaction). Exploitation requires network connectivity to the affected module, making proper network segmentation and monitored access essential. The affected firmware ranges include multiple EN2* and EN3* series with versions up to specific endpoints (e.g., <=5.008 & 5.028 for many EN2* variants and <=11.003 for others).

Overview

The Rockwell Automation vulnerability allows a remote attacker to execute code on affected EN2* and EN3* ControlLogix communication modules by sending crafted CIP messages, potentially leading to persistence and broad data compromise across the device and connected systems.

Remediation

  • Update firmware: Apply the mitigated firmware provided by Rockwell for EN2* and EN3* ControlLogix communication modules.
  • Network segmentation: Ensure ICS/SCADA networks are properly segmented from the Internet and from non-essential networks to limit exposure.
  • Deploy detection: Implement detection signatures to monitor for anomalous CIP traffic to Rockwell devices (e.g., appended Snort signatures) and establish baseline CIP communications.
  • Access controls: Restrict network access to the affected modules to authorized systems only (e.g., via firewalls, VPNs, and ACLs) and monitor for unusual login or configuration changes.
  • Verification and monitoring: Inventory affected devices, verify firmware updates, and maintain ongoing monitoring for indicators of compromise related to CIP traffic.

References

  • Rockwell Automation Custhelp: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140010
  • CVE-2023-3595 - MITRE CVE Entry: https://www.cve.org/CVERecord?id=CVE-2023-3595

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Retail Trade: Low
    Retail Trade
  3. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  4. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  5. Public Administration: Low
    Public Administration
  6. Transportation & Warehousing: Low
    Transportation & Warehousing
  7. Utilities: Low
    Utilities
  8. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  9. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  10. Mining: Low
    Mining
  11. Information: Low
    Information
  12. Accommodation & Food Services: Low
    Accommodation & Food Services
  13. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  14. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  15. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  16. Construction: Low
    Construction
  17. Educational Services: Low
    Educational Services
  18. Finance and Insurance: Low
    Finance and Insurance
  19. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background