A high-severity vulnerability in Rockwell Automation ControlLogix 1756 devices, identified as CVE-2024-6242, could be used to execute Common Industrial Protocol (CIP) programming and configuration commands.
According to a notice from the US Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability allows an attacker to bypass the Trusted Slot feature in a ControlLogix controller. Claroty, which discovered and reported the vulnerability, developed a technique to bypass the Trusted Slot feature and send malicious commands to a programmable logic controller (PLC) CPU. The vulnerability received a CVSS v3.1 score of 8.4, indicating high severity.
The vulnerability allows an attacker to bypass the Trusted Slot feature, which ensures the security of communication paths in the local chassis. Successful exploitation of the vulnerability requires access to the device’s network and allows sending elevated commands, including loading arbitrary logic to the PLC CPU. An attacker could use this vulnerability to modify device configuration and user projects.
After responsible disclosure, the vulnerability was fixed in the following versions:
ControlLogix 5580 (1756-L8z): Update to Versions V32.016, V33.015, V34.014, V35.011.
GuardLogix 5580 (1756-L8zS): Update to Versions V32.016, V33.015, V34.014, V35.011.
1756-EN4TR: Update to Versions V5.001.
1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, і 1756-EN2TP Series A: Update to Versions V12.001.
This vulnerability could open critical control systems to unauthorized access via the CIP protocol originating from untrusted chassis slots. Rockwell Automation has already released relevant updates to protect devices from this threat.