A serious security flaw has been found in Rockwell Automation ControlLogix 1756 devices that allows for the execution of common industrial protocol (CIP) programming and configuration commands.
The vulnerability, known as CVE-2024-6242, has a CVSS v3.1 score of 8.4.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in an advisory that a threat actor could exploit the flaw to bypass the Trusted Slot feature in a ControlLogix controller and potentially modify user projects and device configuration.
Security company Claroty, which discovered the vulnerability, created a method to bypass the trusted slot feature and send malicious commands to the programming logic controller (PLC) CPU.
According to security researcher Sharon Brizinov, the vulnerability allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, breaching the security boundary meant to protect the CPU from untrusted cards.
Although network access is needed for exploitation, the flaw could allow an attacker to send elevated commands, such as downloading arbitrary logic to the PLC CPU, even from behind an untrusted network card.
Rockwell Automation has addressed the vulnerability in various versions, including ControlLogix 5580, GuardLogix 5580, and different EN modules.
Brizinov emphasized that the vulnerability could have exposed critical control systems to unauthorized access via the CIP protocol originating from untrusted chassis slots.
