Rockwell Automation ControlLogix 5580 and CompactLogix 5380

Monitor6.8ICS-CERT ICSA-17-094-05Apr 4, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A remotely exploitable denial-of-service vulnerability in ControlLogix 5580 and CompactLogix 5380 controllers allows an unauthenticated attacker to send specially crafted packets over the network that consume the device's memory or processing resources, causing the controller to become unresponsive. An affected controller that stops responding will fail to execute control logic, halt process operations, and requires manual intervention to restart. The ControlLogix 5580 is vulnerable in firmware versions 28.011, 28.012, 28.013, and 29.011. The CompactLogix 5380 is vulnerable in firmware versions 28.011 and 29.011.

What this means

What could happen

An attacker who can reach the controller over the network could send specially crafted packets that exhaust the device's memory or processing capacity, causing the PLC to become unresponsive and halting industrial processes until the controller is restarted.

Who's at risk

Manufacturing facilities and infrastructure operators using Rockwell Automation programmable logic controllers (PLCs), especially water treatment and power distribution systems where process continuity is critical. CompactLogix 5380 controllers are common in smaller automation applications; ControlLogix 5580 controllers are used in larger production and utility environments.

How it could be exploited

An attacker sends malformed network packets designed to consume the controller's resources. The attack requires network connectivity to the device but no credentials or special configuration. The device processes the packets and becomes unable to respond to legitimate program logic or network requests.

Prerequisites

Network access to the affected ControlLogix 5580 or CompactLogix 5380 controller port 502 (EtherNet/IP)
No credentials required
No special device configuration required

Remotely exploitableNo authentication requiredActively exploitable attack vector documentedCompactLogix 5380 has no vendor fix availableLow barrier to attack (no special knowledge needed)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

ControlLogix 5580 controllers: V28.011 V28.012 and V28.01328.011 | 28.012 | 28.01330.011 or later

CompactLogix 5380 controllers: V29.01129.011No fix (EOL)

ControlLogix 5580 controllers: V29.01129.01130.011 or later

CompactLogix 5380 controllers: V28.01128.011No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGFor CompactLogix 5380 controllers (V28.011 and V29.011) where no fix is available, implement network segmentation to restrict access to the controllers—allow EtherNet/IP traffic only from authorized engineering workstations and HMI systems; block unexpected sources with firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5580 controllers to firmware version 30.011 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CompactLogix 5380 controllers: V29.011, CompactLogix 5380 controllers: V28.011. Apply the following compensating controls:

HARDENINGDisable EtherNet/IP on unneeded ports or restrict it to a protected subnet if CompactLogix 5380 devices are not actively accessed from the general network

CVEs (1)

CVE-2017-6024

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a0e89f6c-8de4-4df4-9163-cc777e0fed86