Full Report
ControlLogix 1756 is a series of programmable automation controllers from Rockwell for highly scalable industrial automation. This device is a chassis component that servers as the enclosure for lots of connections. It communicates using the Common Industrial Protocol (CIP). When an operator at an engineering workstation wants to communicate with the PLC, they will be routed over the CIP protocol with the CPU card connected to the same chassis network card. The chassis has a security feature called trusted slot that is designed to prevent untrusted network cards from being added into the network plane. The idea is that an untrusted network card will be refused data. In CIP routing, a path is the route or sequence of devices to where a message travels. This route requires a source device to a destination device. For the chassis, each slot has a unique path structure. Once on the chassis, checks are made to ensure that the network card is trusted or it will just drop the packet. Since all slots are connected to the backplane and CIP supports path routing, a packet could be generated that would be routed through a trusted card FIRST, before reaching the CPU. By going between other trusted slots first THEN routing to the untrusted slot, the CPU thought it was a valid route. An interesting abuse of built in mechanics within a protocol! A super fun bug within an important security feature. I wish they had a path example in the code but that's okay.
Analysis Summary
# Vulnerability: Rockwell Automation Logix Controllers Local Chassis Security Bypass
## CVE Details
- **CVE ID:** CVE-2024-6242
- **CVSS Score:** 8.4 (High)
- **CWE:** CWE-290 (Authentication Bypass by Spoofing) / CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Rockwell Automation ControlLogix 1756, GuardLogix, and 1756 ControlLogix I/O Modules.
- **Versions:** Multiple versions prior to the August 2024 fix.
- **Configurations:** Systems utilizing the "Trusted Slot" security feature designed to restrict communication through untrusted backplane paths.
## Vulnerability Description
The "Trusted Slot" feature in the 1756 chassis is designed to prevent untrusted network cards from sending sensitive commands to the CPU. However, a logic flaw exists in how the CPU validates the Common Industrial Protocol (CIP) routing path.
In CIP routing, a packet contains a sequence of hops (the "path") to its destination. The CPU only validates the *last* hop in the path chain. An attacker can craft a CIP packet that first routes through a "Trusted" slot and then "jumps" to another slot before reaching the CPU. Because the CPU only checks if the immediate preceding hop came from a trusted source, it incorrectly authorizes the communication, even if the primary source of the packet was an untrusted network card.
## Exploitation
- **Status:** PoC described by research team (Team82); vulnerability is disclosed and patched.
- **Complexity:** Medium (Requires knowledge of CIP path construction and chassis layout).
- **Attack Vector:** Network (Requires network access to the industrial backplane/network card).
## Impact
- **Confidentiality:** Low (Focus is on control bypass).
- **Integrity:** High (Attacker can send elevated commands, such as downloading/altering PLC logic).
- **Availability:** High (Ability to stop the PLC or modify logic could lead to industrial downtime).
## Remediation
### Patches
- Rockwell Automation has issued a fix for the affected firmware. Users should refer to [Rockwell Advisory SD1682](https://www.rockwellautomation[.]com/en-us/trust-center/security-advisories/advisory.SD1682.html) for specific version updates.
### Workarounds
- Implement network segmentation to restrict access to the PLC backplane network.
- Utilize physical security (e.g., locking the chassis) and the physical Mode Switch (set to "Run" mode) to prevent unauthorized logic downloads.
## Detection
- **Snort Rule:** Team82 released a rule to detect multiple local chassis redirections in a single CIP Forward Open Request:
`alert tcp any any -> any 44818 (content: "|6f 00|"; offset:0; pcre:"/\x54.*\xa3[^\x00-\x03](\x01[\x00-\x16]){2,}\x20\x02\$\x01/ms"; msg: " CVE-2024-6242: CIP suspicious forward open (might be used to bypass local chassis security)";`
- **Method:** Monitor for CIP packets containing two or more local chassis redirection hops within the same backplane path.
## References
- Rockwell Advisory: [https://www.rockwellautomation[.]com/en-us/trust-center/security-advisories/advisory.SD1682.html]
- CISA Advisory: [https://www.cisa[.]gov/news-events/ics-advisories/icsa-24-214-09]
- Original Research: [https://claroty[.]com/team82/research/bypassing-rockwell-automation-logix-controllers-local-chassis-security-protection]