PatchSiren cyber security CVE debrief
CVE-2024-6242 Rockwell Automation CVE debrief
A vulnerability in Rockwell Automation ControlLogix and GuardLogix 5580 controllers, along with multiple 1756-series Ethernet communication modules, allows a threat actor to bypass the Trusted Slot feature. Successful exploitation could enable unauthorized CIP command execution to modify user projects and device configurations on Logix controllers within a 1756 chassis. The vulnerability was disclosed on August 1, 2024, with a CVSS 3.1 score of 8.4 (HIGH). Rockwell Automation has released firmware updates for most affected products; however, several older series (1756-EN2T Series A/B/C, 1756-EN2F Series A/B, 1756-EN2TR Series A/B, and 1756-EN3TR Series A) have no patch available and require hardware upgrades to remediate.
- Vendor
- Rockwell Automation
- Product
- ControlLogix 5580 (1756-L8z)
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-08-01
- Original CVE updated
- 2024-08-01
- Advisory published
- 2024-08-01
- Advisory updated
- 2024-08-01
Who should care
Organizations operating Rockwell Automation ControlLogix or GuardLogix 5580 systems in industrial environments, particularly those in critical infrastructure sectors including manufacturing, energy, water/wastewater, and chemical processing. Asset owners with 1756-series Ethernet communication modules in their control system architectures should prioritize assessment and remediation. System integrators and OT security teams responsible for maintaining secure configurations of Rockwell Automation PLC deployments should review firmware versions and hardware series in use.
Technical summary
The vulnerability exists in the Trusted Slot feature implementation of affected Rockwell Automation Logix controllers and Ethernet communication modules. A threat actor can bypass this security feature on any affected module installed in a 1756 chassis, potentially gaining the ability to execute Common Industrial Protocol (CIP) commands that modify user projects and device configurations on Logix controllers within the same chassis. The attack vector is network-based with high attack complexity, requiring low privileges and no user interaction. The vulnerability affects 16 distinct product configurations spanning ControlLogix 5580 controllers, GuardLogix 5580 safety controllers, and multiple series of 1756 Ethernet modules including EN2T, EN2F, EN2TR, EN3TR, EN4TR, and EN2TP variants.
Defensive priority
HIGH
Recommended defensive actions
- Update ControlLogix 5580 (1756-L8z) to firmware versions V32.016, V33.015, V34.014, V35.011 or later
- Update GuardLogix 5580 (1756-L8zS) to firmware versions V32.016, V33.015, V34.014, V35.011 or later
- Update 1756-EN4TR to firmware version V5.001 or later
- Update 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A to firmware version V12.001 or later
- For 1756-EN2T Series A/B/C, 1756-EN2F Series A/B, 1756-EN2TR Series A/B, and 1756-EN3TR Series A with no available fix, upgrade to Series D hardware to remediate this vulnerability
- Apply defense-in-depth mitigations including setting controller mode switch to RUN position to limit allowed CIP commands
- Follow Rockwell Automation security best practices for industrial control systems
- Implement network segmentation to restrict access to ControlLogix chassis and associated communication modules
Evidence notes
Vulnerability description and affected product list derived from CISA CSAF advisory ICSA-24-214-09. CVSS score and severity from official CVE record. Remediation guidance including specific firmware versions and hardware upgrade requirements from vendor remediations in source advisory.
Official resources
-
CVE-2024-6242 CVE record
CVE.org
-
CVE-2024-6242 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-08-01