ICSA-19-120-01_Rockwell Automation CompactLogix 5370

Plan Patch8.6ICS-CERT ICSA-19-120-01Apr 30, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CVE-2019-10952 and CVE-2019-10954 affect CompactLogix 5370 and Compact GuardLogix 5370 controllers (firmware versions 20 through 30.014). These vulnerabilities allow remote attackers to cause a denial of service condition. The vulnerabilities include EtherNet/IP-based issues affecting ports 2222 and 44818 (TCP/UDP), and web-based issues affecting ports 80 and 443 (TCP). Attack complexity is low and no authentication is required.

What this means

What could happen

An attacker can remotely crash or cause a denial of service on affected CompactLogix and Compact GuardLogix controllers without needing valid credentials, disrupting production processes and equipment control.

Who's at risk

Water and electric utilities, manufacturing facilities, and any organization operating CompactLogix 5370 L1/L2/L3 or Compact GuardLogix 5370 controllers (including Armor variants) for process control, motor drives, or safety-critical automation should evaluate their exposure. These programmable logic controllers (PLCs) are widely deployed in SCADA and industrial automation systems.

How it could be exploited

An attacker with network access to the controller can send specially crafted packets to EtherNet/IP ports (2222 or 44818) or web service ports (80 or 443) to trigger a denial of service condition. No authentication or user interaction is required; the attack is remotely exploitable over the network.

Prerequisites

Network reachability to the CompactLogix or Compact GuardLogix controller on ports 2222, 44818 (EtherNet/IP), or 80/443 (web services)
No credentials or authentication required

Remotely exploitableNo authentication requiredLow attack complexityNo patch available for current firmware versionsDenial of service impact on control systems

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Compact GuardLogix 5370 controllers:≥ 20 | ≤ 30.01431.011

Armor Compact GuardLogix 5370 controllers:≥ 20 | ≤ 30.01431.011

CompactLogix 5370 L1 controllers:≥ 20 | ≤ 30.01431.011

CompactLogix 5370 L2 controllers:≥ 20 | ≤ 30.01431.011

CompactLogix 5370 L3 controllers:≥ 20 | ≤ 30.01431.011

Remediation & Mitigation

0/8

Do now

0/4

WORKAROUNDBlock or restrict access to ports 2222 and 44818 (TCP/UDP) at network edge using firewalls or UTM devices to prevent EtherNet/IP-based attacks

WORKAROUNDBlock or restrict access to ports 80 and 443 (TCP) at network edge to prevent web-based attacks

WORKAROUNDFor Stratix managed switches, configure Access Control Lists (ACLs) to restrict access to affected ports

WORKAROUNDBlock SMTP packets from unauthorized external sources using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CompactLogix and Compact GuardLogix 5370 firmware to version FRN 31.011 or later

Long-term hardening

0/3

HARDENINGSegment CompactLogix and Compact GuardLogix controllers to an isolated manufacturing zone with no direct internet exposure

HARDENINGImplement network segmentation to prevent external internet access to control system devices

HARDENINGFor required remote access, establish secure VPN connections and keep VPN software updated

CVEs (2)

CVE-2019-10952 CVE-2019-10954

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56def90d-e12c-47ff-857b-ab668fb7f3a0