Advisory Details
Rockwell ControlLogix Exploitation
On July 12th, 2023, Rockwell Automation has uncovered exploits attributed to (APT) Advanced Persistent Threat actors affecting Rockwell’s ControlLogix EtherNet/IP communication modules. Specifically, models 1756-EN2, 1756-EN3 (CVE-2023-3595), and 1756-EN4 (CVE-2023-3596). These vulnerabilities allow (DoS) denial of service attacks and remote code execution with persistence on these corresponding Rockwell devices.
The level of impact from these exploits varies depending on system configuration but left unacknowledged, could lead to manipulation of control for disruptive and/or destructive consequences on installations for which the Rockwell ControlLogix systems are responsible, denial or loss of control, denial or loss of view, and theft of operational data.  In either case there’s also potential for the attacker to overwrite parts of the system to mask themselves to stay persistent, and/or overwrite interfaces utilized for incident response forensics to avoid detection – as malware. Vulnerabilities exploited in this type of manner render communication modules untrustworthy and need to be de-commissioned then returned to vendor for further inspection.
Actions and/or Recommendations
- Determine if CVE-2023-3595 CVE-2023-3596 impact current OT hardware assets.
- Ensure projects moving forward are managing this CVE.
- Engage Mangan Cybersecurity for assistance with impacted hardware.
- Upgrade to the latest version of device firmware. 1756-EN2* and EN3* models will need to be upgraded to at version 11.004 or 5.029 at minimum, depending on series. 1756-EN4* models will need to be upgraded to firmware version 5.002. You can find the latest Rockwell firmware updates here.
- Develop comprehensive understanding of normal operations, controls, and data acquisition needs. Include business continuity objectives as well as return to normal targets that minimize safety, operational, and business interruptions.
- Based on the knowledge gained, develop a monitoring strategy to identify undesired access or activity on impacted systems.
Mangan Cybersecurity has well-established templates and techniques to assist with the above suggestions expediently and effectively to resolve the Rockwell ControlLogix exploitation.
About REAL Matters and Mangan Inc.
REAL Matters advisories are published to communicate cybersecurity threats and risks within the Operational Technology (OT) environment and where Critical Infrastructure vulnerabilities are identified. The purpose of this newsletter is to inform, propose suggested approaches to mitigate the risk as well as provide feedback on how Mangan Cybersecurity is approaching the issue(s) addressed.
Mangan Inc. is a nationally-recognized Specialty Engineering, Automation, and Integration company, providing a full-range of services to the Oil & Gas, Refining, Pipeline, Chemicals, and Life Sciences Industries. Established in Long Beach, California in 1990, Mangan’s multiple office locations include sites in California, Georgia, New Hampshire, North Carolina, Texas, and Louisiana. Mangan’s 350+ employee-owners bring expertise, innovation, and safety as their core mission to some of the largest companies in the world.
