GE PACSystems RX3i
Plan Patch7.5ICS-CERT ICSA-20-014-01Jan 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the input validation of GE PACSystems RX3i CPUs (CPE100, CPE115, CPE302, CPE305, CPE310, CPE330, CPE400, CPL410, CRU320) allows unauthenticated remote attackers to send specially crafted input that causes the CPU to transition to halt mode. This results in immediate loss of all process control logic execution on the affected controller. CWE-20 (Improper Input Validation) is the root cause. Emerson has acquired these products from GE and is providing firmware updates.
What this means
What could happen
An attacker could send specially crafted input to cause a PACSystems RX3i CPU to enter halt mode, stopping all operations on that controller until manually restarted. This causes a complete denial of service for any process logic running on that PLC.
Who's at risk
Energy sector operators using GE PACSystems RX3i programmable controllers (CPE100, CPE115, CPE302, CPE305, CPE310, CPE330, CPE400, CPL410, and legacy CRU320 units) should be concerned. These are commonly used as primary or secondary control CPUs in generation, transmission, and distribution systems.
How it could be exploited
An attacker with network access to the CPU could send malformed input through the industrial protocol port (Ethernet/IP on port 2222 or serial protocols) that fails input validation checks. The CPU would then halt, terminating all process control until manually restarted by an operator.
Prerequisites
- Network access to the PACSystems RX3i CPU on port 2222 (Ethernet/IP) or serial communication port
- No authentication required to send input to the device
Remotely exploitableNo authentication requiredLow complexity attackCauses denial of service (halt mode)Affects multiple CPU models across product line
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
CPE302: All< R9.90R9.90
CPE330: All< R9.90R9.90
CPE100: All< R9.85R9.85
CPE115: All< R9.85R9.85
CPE305: All< R9.90R9.90
CPE310: All< R9.90R9.90
CRU320: (End of Life; Upgrade to CPE330)All versionsR9.90
CPE400: All< R9.90R9.90
Remediation & Mitigation
0/11
Do now
0/1WORKAROUNDRestrict network access to the PACSystems RX3i CPU to only authorized engineering workstations and control networks using firewall rules
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
HOTFIXUpgrade CPE100 to R9.85 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPE115 to R9.85 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPE302 to R9.90 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPE305 to R9.90 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPE310 to R9.90 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPE330 to R9.90 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPE400 to R9.90 or later using the provided firmware upgrade kit
HOTFIXUpgrade CPL410 to R9.90 or later using the provided firmware upgrade kit
HOTFIXFor CRU320 (end of life), migrate to CPE330 or equivalent newer CPU model
Long-term hardening
0/1HARDENINGSegment PACSystems RX3i systems onto a dedicated control network isolated from corporate networks and untrusted sources
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/470350ac-12e0-4ff3-8bfb-e8d63e316160