CISA Flags New Apple & Rockwell Flaws

The Rockwell Automation vulnerability, CVE-2021-22681, is a critical issue within the Studio 5000 Logix Designer software. This flaw allows a remote, unauthenticated attacker to bypass a key verification mechanism and communicate with Logix controllers as if they were a trusted system. Successful exploitation could permit an attacker to alter controller configurations or application code, potentially disrupting industrial processes. This insufficiently protected credentials vulnerability affects a wide range of Rockwell's Logix controllers, including ControlLogix, CompactLogix, and GuardLogix. The issue, first disclosed in 2021, has only recently been confirmed as actively exploited in the wild. For DoD environments, this represents a significant threat to operational technology (OT) systems, as it could allow unauthorized users to manipulate industrial control systems. The Apple vulnerabilities added to the KEV catalog include several use-after-free and memory corruption flaws. For example, CVE-2023-43000 is a use-after-free issue in WebKit that can be triggered by maliciously crafted web content, leading to memory corruption. These vulnerabilities are part of a sophisticated iOS exploit kit named "Coruna," which has been used by various threat actors, including state-sponsored espionage groups and financially motivated criminals. For Splunk engineers, detecting exploitation of these vulnerabilities requires a multi-faceted approach. Ingesting and analyzing web server and network traffic logs can help identify attempts to exploit the Hikvision command injection flaw (CVE-2017-7921). For the Rockwell vulnerability, monitoring network traffic for unusual communication patterns with industrial controllers is crucial. Detections should focus on identifying unauthorized systems attempting to communicate with Logix PLCs. From a Zero Trust perspective, these vulnerabilities underscore the importance of the User and Identity pillar. The Rockwell flaw, in particular, highlights the risk of assumed trust between systems. Implementing strict network segmentation to isolate industrial control systems and enforcing strong authentication and access controls for all users and devices attempting to connect to these systems are critical mitigation steps. Mapping these threats to DoD Zero Trust controls involves several key areas. For the User pillar, this includes implementing robust identity and access management (IAM) and enforcing multi-factor authentication (MFA) for all users, especially those with access to critical infrastructure. For the Device pillar, it's essential to maintain a comprehensive inventory of all connected devices and ensure they are running up-to-date software and security configurations. Continuous monitoring and logging of all network traffic, as outlined in the Network pillar, is also vital for detecting and responding to potential threats.