Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix (Update A)
Plan Patch8.6ICS-CERT ICSA-18-172-02Jun 21, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 controllers (firmware version 30.014 and earlier) allows an attacker to send a crafted packet via Ethernet/IP or CIP protocol to cause the controller to enter a Major Non-Recoverable Fault (MNRF) state. This is classified as a safe failure state, but it stops the controller from processing and requires the application program to be redownloaded to recover normal operation. Affected products include CompactLogix 5370 L1, L2, and L3 variants, as well as Armor-protected versions and Compact GuardLogix 5370 controllers. No patch is currently available for these firmware versions.
What this means
What could happen
An attacker could send a specially crafted packet to a CompactLogix or Compact GuardLogix controller, causing it to enter a Major Non-Recoverable Fault state and stop processing. Recovery requires manually redownloading the application program to the controller.
Who's at risk
Water utilities, electric utilities, and manufacturers using Rockwell Automation CompactLogix 5370 L1, L2, L3 controllers or Armor/Compact GuardLogix 5370 controllers for process automation, flow control, or safety-critical functions should evaluate this risk. Any facility relying on these PLCs for continuous operation is affected.
How it could be exploited
An attacker on the network sends a malformed packet to the controller via the Ethernet/IP or CIP protocol (ports 2222 or 44818). The controller's input validation fails, triggering a fault condition that halts operations and requires manual intervention to restore.
Prerequisites
- Network access to the controller on ports 2222/TCP and UDP or 44818/TCP and UDP
- Controller firmware version 30.014 or earlier
- No authentication required
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected firmware versionsDenial of service affects physical operations
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
Allen-Bradley CompactLogix 5370 L1 controllers:≤ 30.01431.011 or later
Allen-Bradley Armor Compact GuardLogix 5370 controllers:≤ 30.01431.011 or later
Allen-Bradley CompactLogix 5370 L3 controllers:≤ 30.01431.011 or later
Allen-Bradley Armor CompactLogix 5370 L3 controllers:≤ 30.01431.011 or later
Allen-Bradley CompactLogix 5370 L2 controllers:≤ 30.01431.011 or later
Allen-Bradley Compact GuardLogix 5370 controllers:≤ 30.01431.011 or later
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDBlock or restrict inbound traffic to ports 2222 and 44818 (TCP and UDP) using firewalls or network security appliances to prevent external access to Ethernet/IP and CIP devices
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate firmware to revision FRN 31.011 or later on all affected CompactLogix and Compact GuardLogix controllers
Long-term hardening
0/2HARDENINGIsolate all control system networks from the Internet and place them behind firewalls; segregate control systems from the business network
HARDENINGIf remote access to controllers is required, use secure methods such as VPNs and keep VPN software current
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7f933e02-a344-412b-8754-3c757ab09a97