Rockwell Automation Allen-Bradley CompactLogix and Compact GuardLogix (Update A)

Plan PatchCVSS 8.6ICS-CERT ICSA-18-172-02Jun 21, 2018

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 controllers (firmware version 30.014 and earlier) allows an attacker to send a crafted packet via Ethernet/IP or CIP protocol to cause the controller to enter a Major Non-Recoverable Fault (MNRF) state. This is classified as a safe failure state, but it stops the controller from processing and requires the application program to be redownloaded to recover normal operation. Affected products include CompactLogix 5370 L1, L2, and L3 variants, as well as Armor-protected versions and Compact GuardLogix 5370 controllers. No patch is currently available for these firmware versions.

What this means

What could happen

An attacker could send a specially crafted packet to a CompactLogix or Compact GuardLogix controller, causing it to enter a Major Non-Recoverable Fault state and stop processing. Recovery requires manually redownloading the application program to the controller.

Who's at risk

Water utilities, electric utilities, and manufacturers using Rockwell Automation CompactLogix 5370 L1, L2, L3 controllers or Armor/Compact GuardLogix 5370 controllers for process automation, flow control, or safety-critical functions should evaluate this risk. Any facility relying on these PLCs for continuous operation is affected.

How it could be exploited

An attacker on the network sends a malformed packet to the controller via the Ethernet/IP or CIP protocol (ports 2222 or 44818). The controller's input validation fails, triggering a fault condition that halts operations and requires manual intervention to restore.

Prerequisites

Network access to the controller on ports 2222/TCP and UDP or 44818/TCP and UDP
Controller firmware version 30.014 or earlier
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected firmware versionsDenial of service affects physical operations

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Allen-Bradley CompactLogix 5370 L1 controllers:≤ 30.01431.011+

Allen-Bradley Armor Compact GuardLogix 5370 controllers:≤ 30.01431.011+

Allen-Bradley CompactLogix 5370 L3 controllers:≤ 30.01431.011+

Allen-Bradley Armor CompactLogix 5370 L3 controllers:≤ 30.01431.011+

Allen-Bradley CompactLogix 5370 L2 controllers:≤ 30.01431.011+

Allen-Bradley Compact GuardLogix 5370 controllers:≤ 30.01431.011+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock or restrict inbound traffic to ports 2222 and 44818 (TCP and UDP) using firewalls or network security appliances to prevent external access to Ethernet/IP and CIP devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to revision FRN 31.011 or later on all affected CompactLogix and Compact GuardLogix controllers

Long-term hardening

0/2

HARDENINGIsolate all control system networks from the Internet and place them behind firewalls; segregate control systems from the business network

HARDENINGIf remote access to controllers is required, use secure methods such as VPNs and keep VPN software current

CVEs (1)

CVE-2017-9312

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7f933e02-a344-412b-8754-3c757ab09a97

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.