Multiple vulnerabilities in Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication modules



Published: 2023-07-15
Risk Critical
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-3595
CVE-2023-3596
CWE-ID CWE-787
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe 		1756-EN2T Series A
Client/Desktop applications / Software for system administration

1756-EN2T Series B
Client/Desktop applications / Software for system administration

1756-EN2T Series C
Client/Desktop applications / Software for system administration

1756-EN2T Series D
Client/Desktop applications / Software for system administration

1756-EN2TR Series A
Client/Desktop applications / Software for system administration

1756-EN2TR Series B
Client/Desktop applications / Software for system administration

1756-EN2TR Series C
Client/Desktop applications / Software for system administration

1756-EN2F Series A
Client/Desktop applications / Software for system administration

1756-EN2F Series C
Client/Desktop applications / Software for system administration

1756-EN3TR Series A
Client/Desktop applications / Software for system administration

1756-EN3TR Series B
Client/Desktop applications / Software for system administration

1756-EN2TK Series A
Server applications / SCADA systems

1756-EN2TK Series B
Server applications / SCADA systems

1756-EN2TK Series C
Server applications / SCADA systems

1756-EN2TK Series D
Server applications / SCADA systems

1756-EN2TXT Series A
Server applications / SCADA systems

1756-EN2TXT Series B
Server applications / SCADA systems

1756-EN2TXT Series C
Server applications / SCADA systems

1756-EN2TXT Series D
Server applications / SCADA systems

1756-EN2TP Series A
Server applications / SCADA systems

1756-EN2TPK Series A
Server applications / SCADA systems

1756-EN2TPXT Series A
Server applications / SCADA systems

1756-EN2TRK Series A
Server applications / SCADA systems

1756-EN2TRK Series B
Server applications / SCADA systems

1756-EN2TRK Series C
Server applications / SCADA systems

1756-EN2TRXT Series A
Server applications / SCADA systems

1756-EN2TRXT Series C
Server applications / SCADA systems

1756-EN2TRK Series B
Server applications / SCADA systems

1756-EN2FK Series A
Server applications / SCADA systems

1756-EN2FK Series C
Server applications / SCADA systems

1756-EN3TRK Series A
Server applications / SCADA systems

1756-EN3TRK Series B
Server applications / SCADA systems

1756-EN4TR Series A
Server applications / SCADA systems

1756-EN4TRK Series A
Server applications / SCADA systems

1756-EN4TRXT Series A
Server applications / SCADA systems

Vendor

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Out-of-bounds write

EUVDB-ID: #VU78271

Risk: Critical

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-3595

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing CIP messages. A remote attacker can send specially crafted CIP messages to ports 44818/TCP or 2222/UDP, trigger an out-of-bounds write and execute arbitrary code.

Note, the vulnerability is most likely being exploited in the wild.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

1756-EN2T Series A: before 5.009

1756-EN2T Series B: before 5.009

1756-EN2T Series C: before 5.009

1756-EN2T Series D: before 11.004

1756-EN2TK Series A: before 5.009

1756-EN2TK Series B: before 5.009

1756-EN2TK Series C: before 5.009

1756-EN2TK Series D: before 11.004

1756-EN2TXT Series A: before 5.009

1756-EN2TXT Series B: before 5.009

1756-EN2TXT Series C: before 5.009

1756-EN2TXT Series D: before 11.004

1756-EN2TP Series A: before 11.004

1756-EN2TPK Series A: before 11.004

1756-EN2TPXT Series A: before 11.004

1756-EN2TR Series A: before 5.009

1756-EN2TR Series B: before 5.009

1756-EN2TR Series C: before 11.004

1756-EN2TRK Series A: before 5.009

1756-EN2TRK Series B: before 5.029

1756-EN2TRK Series C: before 11.004

1756-EN2TRXT Series A: before 5.009

1756-EN2TRXT Series C: before 11.004

1756-EN2F Series A: before 5.009

1756-EN2TRK Series B: before 5.029

1756-EN2F Series C: before 11.004

1756-EN2FK Series A: before 5.009

1756-EN2FK Series C: before 11.004

1756-EN3TR Series A: before 5.029

1756-EN3TR Series B: before 11.004

1756-EN3TRK Series A: before 5.029

1756-EN3TRK Series B: before 11.004

External links

http://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140010
http://www.bleepingcomputer.com/news/security/rockwell-warns-of-new-apt-rce-exploit-targeting-critical-infrastructure/
http://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Out-of-bounds write

EUVDB-ID: #VU78272

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3596

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing CIP messages. A remote attacker can send specially crafted CIP messages to the affected system, trigger an out-of-bounds write and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

1756-EN4TR Series A: before 5.002

1756-EN4TRK Series A: before 5.002

1756-EN4TRXT Series A: before 5.002

External links

http://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1140010
http://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###