Rockwell Automation 1734-AENTR Series B and Series C

Monitor7.5ICS-CERT ICSA-21-063-01Mar 4, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Rockwell Automation 1734-AENTR Series B and Series C modules contain improper access control vulnerabilities (CWE-284, CWE-79) that allow an attacker to modify data on the device without authentication. Affected versions are Series B firmware 4.001–4.004 and 5.011–5.016; Series C firmware 6.011–6.012. Successful exploitation could lead to unauthorized modification of operational data, alarm settings, or process parameters stored on the module.

What this means

What could happen

An attacker with network access to the 1734-AENTR module could modify data on the device without authentication, potentially altering process parameters, alarm setpoints, or stored configuration that could affect water treatment or electric distribution operations.

Who's at risk

Water utilities and electric utilities operating Rockwell Automation 1734-AENTR analog input/output adapter modules in PLC/PAC systems. This includes any facility using CompactLogix or SLC 5/05 with these remote I/O modules for process monitoring and control.

How it could be exploited

An attacker sends crafted network packets to the 1734-AENTR module on port 502 (Modbus) or the proprietary Rockwell protocol port. Because no authentication is required, the attacker can directly write data to memory or registers, modifying operational parameters or process logic.

Prerequisites

Network access to the 1734-AENTR module port (port 502 for Modbus or proprietary Rockwell port)
No credentials required
Module must be connected to a network that is reachable from the attacker

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (7.5)Data modification impact on operations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

Series C:6.011 and 6.012No fix yet

Series B:> 4.001 | < 4.005 | > 5.011 | < 5.017No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDeploy firewall rules to restrict network access to the 1734-AENTR module—allow only traffic from authorized engineering workstations and HMI systems, block all external/Internet access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Rockwell Automation 1734-AENTR Series B devices to firmware version 5.018 or later

HOTFIXUpdate Rockwell Automation 1734-AENTR Series C devices to firmware version 6.013 or later

Long-term hardening

0/2

HARDENINGIsolate the control system network (where 1734-AENTR modules reside) from the business network using firewalls or air gaps

HARDENINGIf remote access to the control system is required, use a VPN with strong authentication and keep VPN software updated

CVEs (2)

CVE-2020-14504 CVE-2020-14502

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fcfc6257-0cad-4a2d-80ff-065e62623f0a