Rockwell Automation 1794-AENT Flex I/O Series B

Monitor7.5ICS-CERT ICSA-20-294-01Oct 20, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation 1794-AENT Flex I/O Series B (firmware versions 4.003 and earlier) contains a buffer overflow vulnerability (CWE-120) accessible over the network. Successful exploitation could crash the device, disrupting control of connected equipment. In the worst case, an attacker could achieve remote code execution, allowing them to modify or disable control logic, alter setpoints, or manipulate process outputs. No firmware patch is currently available from Rockwell Automation.

What this means

What could happen

An attacker could remotely crash the 1794-AENT Flex I/O device through a buffer overflow, disrupting any process or control logic it handles. In worst case, if code execution is achieved, the attacker could alter setpoints, disable safety interlocks, or manipulate process outputs.

Who's at risk

Water utilities and power plants using Rockwell Automation 1794-AENT Flex I/O modules in distributed I/O racks. This device typically reads and writes analog or digital signals from field equipment (pumps, valves, motors, sensors). Any facility relying on this module for process control or automation is affected.

How it could be exploited

An attacker on the network sends a specially crafted packet to the Flex I/O device's network port, triggering a buffer overflow in the firmware. This causes the device to crash immediately, or potentially allows the attacker to execute arbitrary commands on the device if they craft the payload carefully. The attack requires no authentication or user interaction.

Prerequisites

Network access to the 1794-AENT Flex I/O device on its communication port (typically Ethernet)
Device firmware version 4.003 or earlier
Device must be reachable from the attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch availablebuffer overflow can lead to code execution

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

1794-AENT Flex I/O Series B:≤ 4.003No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGEnsure the Flex I/O device is not directly accessible from the Internet or from untrusted networks. Disable unnecessary network services and ports if possible.

WORKAROUNDIf remote access to the device is required, use a VPN with the most current security patches, and restrict VPN access to authorized engineering personnel only.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXCheck with Rockwell Automation for any available firmware updates or patches for the 1794-AENT Series B. Current advisory indicates no fix is available, so monitor vendor communications for future releases.

Mitigations - no patch available

0/1

1794-AENT Flex I/O Series B: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the Flex I/O device and any network it belongs to from the main office/business network using a firewall.

CVEs (3)

CVE-2020-6083 CVE-2020-6084 CVE-2020-6085

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/41db97e7-506c-436a-9460-cb95c095aad8