CVE-2024-6242 Overview
A vulnerability exists in Rockwell Automation affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP (Common Industrial Protocol) commands that modify user projects and/or device configuration on a Logix controller in the chassis. This represents a significant security concern for industrial control system (ICS) environments where the Trusted Slot feature is relied upon as a security boundary.
Critical Impact
Successful exploitation allows attackers to bypass trusted slot security controls and execute unauthorized CIP commands, potentially leading to unauthorized modification of industrial control logic and device configurations in critical infrastructure environments.
Affected Products
- Rockwell Automation ControlLogix® controllers
- Rockwell Automation 1756 chassis modules
- Products utilizing the Trusted® Slot feature
Discovery Timeline
- August 1, 2024 - CVE-2024-6242 published to NVD
- August 1, 2024 - Last updated in NVD database
Technical Details for CVE-2024-6242
Vulnerability Analysis
This vulnerability is classified under CWE-420 (Unprotected Alternate Channel), indicating that the Trusted Slot security mechanism can be circumvented through an unprotected communication path. The Trusted Slot feature in Rockwell Automation ControlLogix controllers is designed to restrict which chassis slots can send potentially dangerous commands to the controller. However, this vulnerability allows an attacker to bypass these restrictions entirely.
The attack can be launched over the network and requires low privileges to execute. Once exploited, an attacker gains the ability to send CIP commands that would normally be blocked by the Trusted Slot configuration. This could result in unauthorized modifications to user projects (ladder logic, function blocks, structured text programs) and device configuration parameters that control physical industrial processes.
Root Cause
The root cause of this vulnerability lies in an unprotected alternate channel (CWE-420) within the communication architecture. The Trusted Slot feature was implemented to restrict CIP command execution to designated trusted slots within the 1756 chassis, but an alternate communication pathway exists that does not properly enforce these trust boundaries. This allows attackers to route malicious commands through the unprotected channel, effectively bypassing the security control.
Attack Vector
The vulnerability is exploitable over the network, requiring an attacker to have network access to the affected 1756 chassis. The attack requires low privilege levels and no user interaction, though certain preconditions must be met for successful exploitation. An attacker would target any affected module within the chassis to leverage the bypass and subsequently issue CIP commands to the ControlLogix controller.
The attack flow involves:
- Gaining network access to the target 1756 chassis environment
- Identifying an affected module that can be used as the bypass vector
- Sending specially crafted CIP commands through the unprotected channel
- Bypassing Trusted Slot validation to execute privileged operations
- Modifying controller projects or device configurations
Detection Methods for CVE-2024-6242
Indicators of Compromise
- Unexpected CIP command traffic originating from non-trusted slots within the 1756 chassis
- Unauthorized modifications to controller projects or configuration that cannot be attributed to legitimate operators
- Anomalous network traffic patterns to ControlLogix controllers from unexpected sources
Detection Strategies
- Deploy industrial protocol-aware network monitoring to inspect CIP traffic for commands originating from unexpected sources
- Implement change detection for controller projects and configurations to identify unauthorized modifications
- Monitor authentication and authorization logs for the ControlLogix environment for anomalous access patterns
Monitoring Recommendations
- Enable comprehensive logging on ControlLogix controllers and review logs regularly for suspicious CIP command execution
- Implement network segmentation monitoring to detect lateral movement attempts toward ICS assets
- Deploy industrial-specific intrusion detection systems (IDS) capable of parsing and alerting on CIP protocol anomalies
How to Mitigate CVE-2024-6242
Immediate Actions Required
- Review the Rockwell Automation Security Advisory SD1682 for specific patch and mitigation guidance
- Implement network segmentation to restrict access to 1756 chassis environments from untrusted networks
- Audit current Trusted Slot configurations and monitor for any bypass attempts
- Restrict network access to ControlLogix controllers to only authorized personnel and systems
Patch Information
Rockwell Automation has released security guidance addressing this vulnerability. Administrators should consult the official security advisory for specific firmware versions and patch availability. Apply vendor-recommended updates as soon as they become available after appropriate testing in non-production environments.
Workarounds
- Implement strict network segmentation to isolate ControlLogix controllers and 1756 chassis from general enterprise networks
- Deploy additional access controls such as industrial firewalls to filter and monitor CIP traffic
- Use defense-in-depth strategies including physical access controls for ICS environments
- Monitor for unauthorized changes to controller configurations using SentinelOne Singularity for OT environments where applicable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
