Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers (Update A)

Monitor5.8ICS-CERT ICSA-21-061-02Mar 2, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A CIP protocol parsing vulnerability in Rockwell Automation CompactLogix 5370 and ControlLogix 5570 controllers allows an attacker to send specially crafted EtherNet/IP packets that cause denial-of-service by disrupting controller communications. The vulnerability affects ControlLogix 5570 (version 33 and prior), CompactLogix 5370 L1/L2/L3, Compact GuardLogix 5370, Armor Compact GuardLogix 5370, and Armor GuardLogix Safety Controllers all at version 33 and prior. Rockwell Automation recommends updating to firmware v33.011 or later to remediate the issue.

What this means

What could happen

An attacker could send malicious network packets to your CompactLogix or ControlLogix controller, causing it to stop communicating with other devices on your network and disrupting coordination between controllers and monitoring systems.

Who's at risk

Water and electric utilities, food and beverage plants, and other critical infrastructure using Rockwell Automation CompactLogix 5370 (all variants: L1, L2, L3, GuardLogix, Armor GuardLogix) or ControlLogix 5570 controllers for process control and safety logic. This affects any facility using these PLCs for pump control, valve coordination, or safety interlocks.

How it could be exploited

An attacker with network access to the controller sends specially crafted CIP (Common Industrial Protocol) packets to port 2222 (EtherNet/IP). The controller processes the malformed packet and becomes unresponsive to legitimate CIP communications until restarted.

Prerequisites

Network access to the controller on port 2222 (EtherNet/IP)
No authentication required to send CIP packets
Controller must be running firmware version 33 or earlier

Remotely exploitable over networkNo authentication requiredLow complexity attackNo patch available for affected versionsAffects safety-certified controller variants (GuardLogix, Armor GuardLogix)Impacts device availability

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

ControlLogix 5570 controllers :Versions 33 and prior≤ 3333.011 or later

Compact GuardLogix 5370 controllers:≤ 3333.011 or later

CompactLogix 5370 L1 controllers:≤ 3333.011 or later

CompactLogix 5370 L2 controllers:≤ 3333.011 or later

CompactLogix 5370 L3 controllers:≤ 3333.011 or later

Armor GuardLogix Safety Controllers:≤ 3333.011 or later

Armor Compact GuardLogix 5370 controllers:≤ 3333.011 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to controllers: block inbound traffic on port 2222 (EtherNet/IP) from untrusted networks using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate controller firmware to version 33.011 or later

Long-term hardening

0/2

HARDENINGIsolate controller networks from business network and Internet using air gap or firewall segmentation

HARDENINGIf remote access to controllers is needed, require VPN and limit access to specific authorized workstations

CVEs (1)

CVE-2020-6998

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0189ae0f-8880-42fc-a0a1-3c910e00cd7a