www.cisa.gov Open in urlscan Pro
2a02:26f0:3500:88d::447a  Public Scan

URL: https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01
Submission: On July 20 via api — Scanned from DE

Form analysis 2 forms found in the DOM

<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
  <table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
    <tbody>
      <tr>
        <td class="gsc-input">
          <div class="gsc-input-box" id="gsc-iw-id1">
            <table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
              <tbody>
                <tr>
                  <td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
                      style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
                  <td class="gsib_b">
                    <div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
                  </td>
                </tr>
              </tbody>
            </table>
          </div>
        </td>
        <td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
              <title>search</title>
              <path
                d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
              </path>
            </svg></button></td>
        <td class="gsc-clear-button">
          <div class="gsc-clear-button" title="clear results">&nbsp;</div>
        </td>
      </tr>
    </tbody>
  </table>
</form>

<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
  <table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
    <tbody>
      <tr>
        <td class="gsc-input">
          <div class="gsc-input-box" id="gsc-iw-id2">
            <table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
              <tbody>
                <tr>
                  <td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
                      style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
                  <td class="gsib_b">
                    <div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
                  </td>
                </tr>
              </tbody>
            </table>
          </div>
        </td>
        <td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
              <title>search</title>
              <path
                d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
              </path>
            </svg></button></td>
        <td class="gsc-clear-button">
          <div class="gsc-clear-button" title="clear results">&nbsp;</div>
        </td>
      </tr>
    </tbody>
  </table>
</form>

Text Content

Skip to main content

An official website of the United States government

Here’s how you know

Here’s how you know

Official websites use .gov
A .gov website belongs to an official government organization in the United
States.

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.


Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

×

search
 

Menu
Close
×

search
 

 * Topics
   Topics
   Cybersecurity Best Practices
   Cyber Threats and Advisories
   Critical Infrastructure Security and Resilience
   Election Security
   Emergency Communications
   Industrial Control Systems
   Information and Communications Technology Supply Chain Security
   Partnerships and Collaboration
   Physical Security
   Risk Management
   How can we help?
   GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
   TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
   Locally
 * Spotlight
 * Resources & Tools
   Resources & Tools
   All Resources & Tools
   Services
   Programs
   Resources
   Training
   Groups
 * News & Events
   News & Events
   News
   Events
   Cybersecurity Alerts & Advisories
   Directives
   Request a CISA Speaker
   Congressional Testimony
 * Careers
   Careers
   Benefits & Perks
   HireVue Applicant Reasonable Accommodations Process
   Hiring
   Resume & Application Tips
   Students & Recent Graduates
   Veteran and Military Spouses
   Work @ CISA
 * About
   About
   Culture
   Divisions & Offices
   Regions
   Leadership
   Doing Business with CISA
   Contact Us
   Site Links
   Reporting Employee and Contractor Misconduct
   CISA GitHub

Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
 1. Home
 2. News & Events
 3. Cybersecurity Advisories
 4. ICS Advisory

Share:


ICS Advisory


ROCKWELL AUTOMATION SELECT COMMUNICATION MODULES

Release Date
July 12, 2023
Alert Code
ICSA-23-193-01



1. EXECUTIVE SUMMARY

 * CVSS v3 9.8
 * ATTENTION: Exploitable remotely/low attack complexity
 * Vendor: Rockwell Automation
 * Equipment: 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK,
   1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK,
   1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT
 * Vulnerabilities: Out-of-bounds Write


2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow malicious actors to
gain remote access of the running memory of the module and perform malicious
activity.


3. TECHNICAL DETAILS


3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected: 

 * 1756-EN2T Series A, B, and C: Versions 5.008 and 5.028 and prior
 * 1756-EN2T Series D: Versions 11.003 and prior
 * 1756-EN2TK Series A, B, and C: Versions 5.008 and 5.028 and prior
 * 1756-EN2TK Series D: Versions 11.003 and prior
 * 1756-EN2TXT Series A, B, and C: Versions 5.008 and 5.028 and prior
 * 1756-EN2TXT Series D: Versions 11.003 and prior
 * 1756-EN2TP Series A: Versions 11.003 and prior
 * 1756-EN2TPK Series A: Versions 11.003 and prior
 * 1756-EN2TPXT Series A: Versions 11.003 and prior
 * 1756-EN2TR Series A and B: Versions 5.008 and 5.028 and prior
 * 1756-EN2TR Series C: Versions 11.003 and prior
 * 1756-EN2TRK Series A and B: Versions 5.008 and 5.028 and prior
 * 1756-EN2TRK Series C: Versions 11.003 and prior
 * 1756-EN2TRXT Series A and B: Versions 5.008 and 5.028 and prior
 * 1756-EN2TRXT Series C: Versions 11.003 and prior
 * 1756-EN2F Series A and B: Versions 5.008 and 5.028 and prior
 * 1756-EN2F Series C: Versions 11.003 and prior
 * 1756-EN2FK Series A and B: Versions 5.008 and 5.028 and prior
 * 1756-EN2FK Series C: Versions 11.003 and prior
 * 1756-EN3TR Series A: Versions 5.008 and 5.028 and prior
 * 1756-EN3TR Series B: Versions 11.003 and prior
 * 1756-EN3TRK Series A: Versions 5.008 and 5.028 and prior
 * 1756-EN3TRK Series B: Versions 11.003 and prior
 * 1756-EN4TR Series A: Versions 5.001 and prior
 * 1756-EN4TRK Series A: Versions 5.001 and prior
 * 1756-EN4TRXT Series A: Versions 5.001 and prior


3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787(link is external) 

Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it
could allow a malicious user to perform remote code execution with persistence
on the target system through maliciously crafted CIP messages. This includes the
ability to modify, deny, and exfiltrate data passing through the device.

CVE-2023-3595 has been assigned to this vulnerability. A CVSS v3 base score of
9.8 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H(link is external)).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787(link is external)

Where this vulnerability exists in the 1756-EN4* products, it could allow a
malicious user to cause a denial-of-service condition by asserting the target
system through maliciously crafted CIP messages.

CVE-2023-3596 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H(link is external)).


3.3 BACKGROUND

 * CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing

 * COUNTRIES/AREAS DEPLOYED: Worldwide

 * COMPANY HEADQUARTERS LOCATION: United States


3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.


4. MITIGATIONS

Rockwell Automation has released the following versions to fix these
vulnerabilities and can be addressed by performing a standard firmware update.
Customers are strongly encouraged to implement the risk mitigations provided
below and to the extent possible, to combine these with the security best
practices(link is external) to employ multiple strategies simultaneously.

 * 1756-EN2T Series A, B, and C: Update to 5.029 or later signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2T Series D: Update to 11.004 or later
 * 1756-EN2TK Series A, B, and C: Update to 5.029 or later signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2TK Series D: Update to 11.004 or later
 * 1756-EN2TXT Series A, B, and C: Update to 5.029 or later signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2TXT Series D: Update to 11.004 or later
 * 1756-EN2TP Series A: Update to 11.004 or later
 * 1756-EN2TPK Series A: Update to 11.004 or later
 * 1756-EN2TPXT Series A: Update to 11.004 or later
 * 1756-EN2TR Series A and B: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2TR Series C: Update to 11.004 or later
 * 1756-EN2TRK Series A and B: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2TRK Series C: Update to 11.004 or later
 * 1756-EN2TRXT Series A and B: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2TRXT Series C: Update to 11.004 or later
 * 1756-EN2F Series A and B: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2F Series C: Update to 11.004 or later
 * 1756-EN2FK Series A and B: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN2FK Series C: Update to 11.004 or later
 * 1756-EN3TR Series A: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN3TR Series B: Update to 11.004 or later
 * 1756-EN3TRK Series A: Update to 5.029 or later for signed versions
   (**recommended). Update to 5.009 for unsigned versions
 * 1756-EN3TRK Series B: Update to 11.004 or later
 * 1756-EN4TR Series A: Update to 5.002 or later
 * 1756-EN4TRK Series A: Update to 5.002 or later
 * 1756-EN4TRXT Series A: Update to 5.002 or later

** Rockwell Automation strongly recommends updating to signed firmware if
possible. Once the module is updated to signed firmware (example 5.008 to
5.0029), it is not possible to revert to unsigned firmware versions.

Organizations should take the following actions to further secure ControlLogix
communications modules from exploitation:

 * Update firmware. Update EN2* ControlLogix communications modules to firmware
   revision 11.004 and update EN4* ControlLogix communications modules to
   firmware revision 5.002. 

 * Properly segment networks. Given a cyber actor would require network
   connectivity to the communication module to exploit the vulnerability,
   organizations should ensure ICS/SCADA networks are properly segmented within
   the process structure as well as from the Internet and other non-essential
   networks.

 * Implement detection signatures. Use appended Snort signatures to monitor and
   detect anomalous Common Industrial Protocol (CIP) packets to Rockwell
   Automation devices.

For more information and to see Rockwell’s detection rules, see Rockwell
Automation’s Security Advisory(link is external).

CISA reminds organizations to perform proper impact analysis and risk assessment
prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies.

Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies.

Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.

No known public exploits specifically target these vulnerabilities.

This product is provided subject to this Notification and this Privacy &
Use policy.


PLEASE SHARE YOUR THOUGHTS

We recently updated our anonymous product survey; we’d welcome your feedback.


RELATED ADVISORIES

Jul 18, 2023
ICS Advisory | ICSA-23-199-06


GE DIGITAL CIMPLICITY

Jul 18, 2023
ICS Advisory | ICSA-23-199-01


ROCKWELL AUTOMATION KINETIX 5700 DC BUS POWER SUPPLY

Jul 18, 2023
ICS Advisory | ICSA-23-199-04


WEINTEK WEINCLOUD

Jul 18, 2023
ICS Advisory | ICSA-23-199-02


KEYSIGHT N6845A GEOLOCATION SERVER

Return to top
 * Topics
 * Spotlight
 * Resources & Tools
 * News & Events
 * Careers
 * About

Cybersecurity & Infrastructure Security Agency
 * Facebook
 * Twitter
 * LinkedIn
 * YouTube
 * Instagram
 * RSS

CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
 * About CISA
 * Accessibility
 * Budget and Performance
 * DHS.gov
 * FOIA Requests
 * No FEAR Act
 * Office of Inspector General
 * Privacy Policy
 * Subscribe
 * The White House
 * USA.gov
 * Website Feedback