Logix (Industrial Controllers)

2024: Discovery of a vulnerability that allows hackers to gain control of factory machines

On August 1, 2024, Rockwell Automation reported the discovery of a dangerous hole in its Logix industrial controllers. If the vulnerability is successfully exploited, attackers can gain control over factory machines.

The problem (CVE-2024-6242) was identified by Claroty specialists. The flaw gives an attacker the ability to bypass the Trusted Slot function in the ControlLogix controller. The vulnerability was originally discovered in ControlLogix 1756 devices. However, further investigation revealed that decisions by GuardLogix and other Rockwell Automation controllers were also affected.

Rockwell Automation

The hole allows cybercriminals to execute arbitrary CIP (Common Industrial Protocol) commands, including to change the hardware configuration. An attacker can also send commands with elevated privileges, such as loading logic: this can have serious negative consequences. The fact is that the ControlLogix system provides process and drive control, as well as information exchange and input/output. The minimum ControlLogix configuration includes one controller and I/O modules in the same chassis. Rockwell Automation has already released the necessary updates to fix the flaw. Users are advised to upgrade their hardware to the following firmware versions:

• ControlLogix 5580 (1756-L8z) - V32.016, V33.015, V34.014, V35.011 and higher;
• GuardLogix 5580 (1756-L8zS) - V32.016, V33.015, V34.014, V35.011 and newer;
• 1756-EN4TR - V5.001 and higher;
• 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, 1756-EN2TP Series A — V12.001 и новее.

For users who, for some reason, cannot upgrade to one of the fixed versions, it is recommended to limit the allowed CIP commands on the controllers to minimize risk.^[1]

Notes