Preventing CVE-2023-3595, CVE-2023-3596: Rockwell Automation ControlLogix Vulnerabilities

Ryan Torvik - August 7, 2023 - 3 minute read

Tulip Tree Technology

Rockwell Automation released 2 CVEs about software vulnerabilities in several of their communications modules. 2023-3595 and 2023-3596. These are critical flaws in the data parsing and should be taken very seriously by groups that are using these devices.

The remediation for these bugs has been to update the firmware and install snort rules to look for traffic that might be targeting the vulnerabilities.

It is pretty common among security professionals to expect that these kinds of devices all have unfound CVEs of this severity or higher. It appears the only solution is to isolate these devices as much as possible with network segmentation and constant network traffic monitoring.

But what if manufacturers were about to identify and remediate these vulnerabilities before the devices leave the manufacturing floor?

How these kinds of bugs are found

Disclaimer: we did not find these specific bugs. We don’t know exactly how these bugs were found by this APT crew. But, this is the process we have used to find bugs like these.

Hackers don’t have access to the environments used to create firmware for these kinds of devices. Manufacturers have extremely precise simulators, a seemingly unending supply of cheap development boards, and rooms full of sample devices.

So we have to make do. We just need to have some way to run the firmware.

Emulating the underlying hardware is by far the most thorough way to run the target firmware. We model the processor(s), peripheral devices, figure out the timers, interrupts, paging, etc. They are all a bit fiddly. But we don’t have to be PERFECT. And we don’t have to support EVERY possible hardware configuration. We just have to be close enough to make the firmware think it is running on hardware.

Once we’ve got it running, we can apply our standard vulnerability discovery process to it. Figure out how data gets into the target system. Figure out how that data is formatted. Create a possible input that might cause a fault. Run the input through the emulated system checking for system faults. Rinse and repeat.

Why are the bugs even there

Why can’t manufacturers find these bugs before they end up in customer’s environments? Precisely because they have their magnificent development environments. They aren’t hackers. They’re hardware makers. Their tools are designed to create very precise functionality. Retro-fitting a hacker toolkit into their development environments is impractical.

Rockwell Automation has priortized the security of their products. Even though they have a very mature vulnerability identification process in their development pipeline, these kinds of bugs still pop up.

How do we fix the bugs before they leave the factory floor

Tulip Tree Technology is a group of former hackers that want to take our offensive cyber security expertise and help manufacturers make better products. We have developed a full-system emulator that can help with not only the functional development process, but also find software vulnerabilities before devices show up on customer networks.

Previous Post

Tulip Tree Technology, Learn Deep, Dream Big.

© 2024 Tulip Tree Technology