CVE-2024-6242

Rockwell Automation Chassis Restrictions Bypass Vulnerability in Select Logix Devices

Description

A vulnerability exists in Rockwell Automation affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

Remediation

Workaround:

Affected Product First Known in Firmware Revision Corrected in Firmware Revision ControlLogix® 5580 (1756-L8z) V28 V32.016, V33.015, V34.014, V35.011 and later GuardLogix® 5580 (1756-L8zS) V31 V32.016, V33.015, V34.014, V35.011 and later 1756-EN4TR V2 V5.001 and later 1756-EN2T, Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series B v5.007(unsigned)/v5.027(signed) No fix is available for Series A/B/C. Users can upgrade to Series D to remediate this vulnerability 1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A 1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020 V12.001 and later Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible.   * Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position. * Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight

References

Link	Tags
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1682.html

Frequently Asked Questions

What is the severity of CVE-2024-6242?: CVE-2024-6242 has been scored as a high severity vulnerability.
How to fix CVE-2024-6242?: As a workaround for remediating CVE-2024-6242: Affected Product First Known in Firmware Revision Corrected in Firmware Revision ControlLogix® 5580 (1756-L8z) V28 V32.016, V33.015, V34.014, V35.011 and later GuardLogix® 5580 (1756-L8zS) V31 V32.016, V33.015, V34.014, V35.011 and later 1756-EN4TR V2 V5.001 and later 1756-EN2T, Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series B v5.007(unsigned)/v5.027(signed) No fix is available for Series A/B/C. Users can upgrade to Series D to remediate this vulnerability 1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A 1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020 V12.001 and later Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible.   * Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position. * Security Best Practices https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1085012/loc/en_US#__highlight
Is CVE-2024-6242 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-6242 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-6242?: CVE-2024-6242 affects Rockwell Automation ControlLogix® 5580 (1756-L8z), Rockwell Automation GuardLogix® 5580 (1756-L8zS), Rockwell Automation 1756-EN4TR, Rockwell Automation 1756-EN2T, Rockwell Automation 1756-EN2F, Rockwell Automation 1756-EN2TR, Rockwell Automation 1756-EN3TR, Rockwell Automation 1756-EN2T, Rockwell Automation 1756-EN2F, Rockwell Automation 1756-EN2TR, Rockwell Automation 1756-EN3TR, Rockwell Automation 1756-EN2TP.

Description

Remediation

Category

CWE-420 – Unprotected Alternate Channel

References

Frequently Asked Questions