APT group owns exploit for critical infrastructure RCE exploit

Home / Threat Intelligence bulletins / APT group owns exploit for critical infrastructure RCE exploit

Target Industry

Manufacturing and energy industry sectors.

Overview

A remote code execution (RCE) exploit has been detected as having potential target unpatched ControlLogix communications modules. The vulnerability, tracked as CVE-2023-3595 (CVSS v3 9.8), pertains to an out-of-bounds write weakness and has been linked to an unnamed advanced persistent threat (APT) group.

Impact

Successful exploitation of CVE-2023-3595 could allow threat actors to gain remote code execution capabilities or trigger denial-of-service (DoS) states via maliciously crafted Common Industrial Protocol (CIP) messages. Subsequent compromises could include:

  • Manipulation of the module’s firmware
  • Wiping the module memory
  • Altering data traffic to and from the module
  • Establishing persistent control

Vulnerability Detection

Rockwell have released security updates with regards to the vulnerability reported on. As such, previous versions are vulnerable to potential exploitation.

Affected Products

The following Rockwell Automation products are affected by CVE-2023-3595:

  • 1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
  • 1756-EN2T Series D: Versions 11.003 and prior
  • 1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
  • 1756-EN2TK Series D: Versions 11.003 and prior
  • 1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
  • 1756-EN2TXT Series D: Versions 11.003 and prior
  • 1756-EN2TP Series A: Versions 11.003 and prior
  • 1756-EN2TPK Series A: Versions 11.003 and prior
  • 1756-EN2TPXT Series A: Versions 11.003 and prior
  • 1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
  • 1756-EN2TR Series C: Versions 11.003 and prior
  • 1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
  • 1756-EN2TRK Series C: Versions 11.003 and prior
  • 1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
  • 1756-EN2TRXT Series C: Versions 11.003 and prior
  • 1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
  • 1756-EN2F Series C: Versions 11.003 and prior
  • 1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
  • 1756-EN2FK Series C: Versions 11.003 and prior
  • 1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
  • 1756-EN3TR Series B: Versions 11.003 and prior
  • 1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
  • 1756-EN3TRK Series B: Versions 11.003 and prior
  • 1756-EN4TR Series A: Versions 5.001 and prior
  • 1756-EN4TRK Series A: Versions 5.001 and prior
  • 1756-EN4TRXT Series A: Versions 5.001 and prior

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security updates are applied as soon as possible. The versions outlined below are those which have addressed the vulnerability:

  • 1756-EN2T Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2T Series D: Update to 11.004 or later
  • 1756-EN2TK Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2TK Series D: Update to 11.004 or later
  • 1756-EN2TXT Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2TXT Series D: Update to 11.004 or later
  • 1756-EN2TP Series A: Update to 11.004 or later
  • 1756-EN2TPK Series A: Update to 11.004 or later
  • 1756-EN2TPXT Series A: Update to 11.004 or later
  • 1756-EN2TR Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2TR Series C: Update to 11.004 or later
  • 1756-EN2TRK Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2TRK Series C: Update to 11.004 or later
  • 1756-EN2TRXT Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2TRXT Series C: Update to 11.004 or later
  • 1756-EN2F Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2F Series C: Update to 11.004 or later
  • 1756-EN2FK Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN2FK Series C: Update to 11.004 or later
  • 1756-EN3TR Series A: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN3TR Series B: Update to 11.004 or later
  • 1756-EN3TRK Series A: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions
  • 1756-EN3TRK Series B: Update to 11.004 or later
  • 1756-EN4TR Series A: Update to 5.002 or later
  • 1756-EN4TRK Series A: Update to 5.002 or later
  • 1756-EN4TRXT Series A: Update to 5.002 or later

It is also strongly recommended that the additional security practices outlined below are adhered to:

  • Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
  • Implement network segmentation
  • Implement detection signatures.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Rockwell Automation occupies a significant proportion of the industrial automation market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, Rockwell products could emerge as a prime target. Due to the fact that Rockwell Automation products have become an integral aspect of critical infrastructure business operations, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

Intelligence gathering has revealed that an unnamed APT group owns an exploit relating to CVE-2023-3595. However, at the time of writing, implementation of the exploit has yet to occur, although it is likely that an associated attack campaign will be initiated in the future.

Mitre Methodologies

Common Weakness Enumeration (CWE):

CWE-787 – Out-of-bounds Write

Further Information

Rockwell Automation Security Advisory

 

An Intelligence Terminology Yardstick to showing the likelihood of events