www.cisa.gov
Open in
urlscan Pro
2a02:26f0:3500:88d::447a
Public Scan
URL:
https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01
Submission: On July 20 via api — Scanned from DE
Submission: On July 20 via api — Scanned from DE
Form analysis
2 forms found in the DOM<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>
Text Content
Skip to main content An official website of the United States government Here’s how you know Here’s how you know Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites. Cybersecurity & Infrastructure Security Agency America's Cyber Defense Agency Search × search Menu Close × search * Topics Topics Cybersecurity Best Practices Cyber Threats and Advisories Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally * Spotlight * Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups * News & Events News & Events News Events Cybersecurity Alerts & Advisories Directives Request a CISA Speaker Congressional Testimony * Careers Careers Benefits & Perks HireVue Applicant Reasonable Accommodations Process Hiring Resume & Application Tips Students & Recent Graduates Veteran and Military Spouses Work @ CISA * About About Culture Divisions & Offices Regions Leadership Doing Business with CISA Contact Us Site Links Reporting Employee and Contractor Misconduct CISA GitHub Report a Cyber Issue America's Cyber Defense Agency Breadcrumb 1. Home 2. News & Events 3. Cybersecurity Advisories 4. ICS Advisory Share: ICS Advisory ROCKWELL AUTOMATION SELECT COMMUNICATION MODULES Release Date July 12, 2023 Alert Code ICSA-23-193-01 1. EXECUTIVE SUMMARY * CVSS v3 9.8 * ATTENTION: Exploitable remotely/low attack complexity * Vendor: Rockwell Automation * Equipment: 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT * Vulnerabilities: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Rockwell Automation products are affected: * 1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior * 1756-EN2T Series D: Versions 11.003 and prior * 1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior * 1756-EN2TK Series D: Versions 11.003 and prior * 1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior * 1756-EN2TXT Series D: Versions 11.003 and prior * 1756-EN2TP Series A: Versions 11.003 and prior * 1756-EN2TPK Series A: Versions 11.003 and prior * 1756-EN2TPXT Series A: Versions 11.003 and prior * 1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior * 1756-EN2TR Series C: Versions 11.003 and prior * 1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior * 1756-EN2TRK Series C: Versions 11.003 and prior * 1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior * 1756-EN2TRXT Series C: Versions 11.003 and prior * 1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior * 1756-EN2F Series C: Versions 11.003 and prior * 1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior * 1756-EN2FK Series C: Versions 11.003 and prior * 1756-EN3TR Series A: Versions 5.008 and 5.028 and prior * 1756-EN3TR Series B: Versions 11.003 and prior * 1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior * 1756-EN3TRK Series B: Versions 11.003 and prior * 1756-EN4TR Series A: Versions 5.001 and prior * 1756-EN4TRK Series A: Versions 5.001 and prior * 1756-EN4TRXT Series A: Versions 5.001 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787(link is external) Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device. CVE-2023-3595 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)). 3.2.2 OUT-OF-BOUNDS WRITE CWE-787(link is external) Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial-of-service condition by asserting the target system through maliciously crafted CIP messages. CVE-2023-3596 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H(link is external)). 3.3 BACKGROUND * CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing * COUNTRIES/AREAS DEPLOYED: Worldwide * COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rockwell Automation reported these vulnerabilities to CISA. 4. MITIGATIONS Rockwell Automation has released the following versions to fix these vulnerabilities and can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the security best practices(link is external) to employ multiple strategies simultaneously. * 1756-EN2T Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2T Series D: Update to 11.004 or later * 1756-EN2TK Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2TK Series D: Update to 11.004 or later * 1756-EN2TXT Series A, B, and C: Update to 5.029 or later signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2TXT Series D: Update to 11.004 or later * 1756-EN2TP Series A: Update to 11.004 or later * 1756-EN2TPK Series A: Update to 11.004 or later * 1756-EN2TPXT Series A: Update to 11.004 or later * 1756-EN2TR Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2TR Series C: Update to 11.004 or later * 1756-EN2TRK Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2TRK Series C: Update to 11.004 or later * 1756-EN2TRXT Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2TRXT Series C: Update to 11.004 or later * 1756-EN2F Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2F Series C: Update to 11.004 or later * 1756-EN2FK Series A and B: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN2FK Series C: Update to 11.004 or later * 1756-EN3TR Series A: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN3TR Series B: Update to 11.004 or later * 1756-EN3TRK Series A: Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions * 1756-EN3TRK Series B: Update to 11.004 or later * 1756-EN4TR Series A: Update to 5.002 or later * 1756-EN4TRK Series A: Update to 5.002 or later * 1756-EN4TRXT Series A: Update to 5.002 or later ** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.0029), it is not possible to revert to unsigned firmware versions. Organizations should take the following actions to further secure ControlLogix communications modules from exploitation: * Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002. * Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks. * Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices. For more information and to see Rockwell’s detection rules, see Rockwell Automation’s Security Advisory(link is external). CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. This product is provided subject to this Notification and this Privacy & Use policy. PLEASE SHARE YOUR THOUGHTS We recently updated our anonymous product survey; we’d welcome your feedback. RELATED ADVISORIES Jul 18, 2023 ICS Advisory | ICSA-23-199-06 GE DIGITAL CIMPLICITY Jul 18, 2023 ICS Advisory | ICSA-23-199-01 ROCKWELL AUTOMATION KINETIX 5700 DC BUS POWER SUPPLY Jul 18, 2023 ICS Advisory | ICSA-23-199-04 WEINTEK WEINCLOUD Jul 18, 2023 ICS Advisory | ICSA-23-199-02 KEYSIGHT N6845A GEOLOCATION SERVER Return to top * Topics * Spotlight * Resources & Tools * News & Events * Careers * About Cybersecurity & Infrastructure Security Agency * Facebook * Twitter * LinkedIn * YouTube * Instagram * RSS CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email) DHS Seal CISA.gov An official website of the U.S. Department of Homeland Security * About CISA * Accessibility * Budget and Performance * DHS.gov * FOIA Requests * No FEAR Act * Office of Inspector General * Privacy Policy * Subscribe * The White House * USA.gov * Website Feedback