Rockwell Automation EtherNet/IP Web Server Modules

Monitor5.3ICS-CERT ICSA-19-036-02Feb 5, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability in Rockwell Automation EtherNet/IP web server modules could allow a remote attacker to disrupt SNMP communication. The vulnerability affects CompactLogix 1768-EWEB (version 2.005 and earlier) and 1756-EWEB/1756-EWEBK (version 5.001 and earlier). Successful exploitation causes the SNMP service to become unresponsive, preventing network-based device monitoring until the service is manually re-enabled or the device is rebooted. No public exploits are currently known.

What this means

What could happen

An attacker could disrupt communication with the SNMP monitoring service on your EtherNet/IP web modules, potentially preventing remote device monitoring and management until SNMP is re-enabled or the device is rebooted.

Who's at risk

Water and electric utilities relying on Rockwell Automation CompactLogix 1768-EWEB or 1756-EWEB modules for remote device monitoring and management. These modules are commonly used in PLC control systems for network-based data acquisition and diagnostics.

How it could be exploited

An attacker with network access to the web module could send a specially crafted request to the SNMP service that causes it to become unresponsive. This requires only network connectivity to the device; no authentication is needed.

Prerequisites

Network access to the affected CompactLogix or 1756 module
SNMP service must be enabled on the device

remotely exploitableno authentication requiredlow complexityno patch available

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

CompactLogix 1768-EWEB:≤ 2.005No fix (EOL)

1756-EWEB (includes 1756-EWEBK):≤ 5.001No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDDisable SNMP service on CompactLogix 1768-EWEB and 1756-EWEB modules if SNMP monitoring is not required

HARDENINGRestrict network access to the web modules using firewall rules to allow only authorized management traffic

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CompactLogix 1768-EWEB:, 1756-EWEB (includes 1756-EWEBK):. Apply the following compensating controls:

HARDENINGSegment your control system network from the business network to prevent direct internet access to the modules

CVEs (1)

CVE-2018-19016

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0d242e7a-4ef8-455f-8f8c-a43155d3b128