Rockwell Automation Logix controllers

Plan Patch8.6ICS-CERT ICSA-22-342-03Dec 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Rockwell Automation Logix controllers (CompactLogix 5380/5480, Compact GuardLogix 5380, ControlLogix 5580, GuardLogix 5580) in firmware version 31.011 and later allows an unauthenticated attacker to send a malformed packet that causes the controller to crash and become unavailable (denial-of-service). The vulnerability exists in input validation and does not require credentials or user interaction. Rockwell Automation has released patched firmware versions (32.016 or later, 33.015 or later, or 34.011 or later depending on the firmware branch).

What this means

What could happen

An attacker with network access could cause a denial-of-service condition on your Logix controller, stopping process execution and interrupting production until the device is rebooted or power-cycled.

Who's at risk

Water utilities, electric utilities, and any facility operating CompactLogix, Compact GuardLogix, ControlLogix, or GuardLogix 5380/5480/5580 controllers for pumping, power distribution, or process control. This affects mid-size municipal operations and industrial plants using Allen-Bradley PLC platforms.

How it could be exploited

An attacker on your network (or with routable access to your control network) sends a specially crafted packet to the Logix controller. The controller fails to validate the packet contents correctly, crashes, and becomes unavailable. This disrupts any automation processes controlled by that device.

Prerequisites

Network reachability to the Logix controller on its service port (typically EtherNet/IP port 2222 or 44818)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for firmware versions 31.011 and laterHigh CVSS score (8.6)Affects critical control devices

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - CompactLogix 5480 controllers: firmware≥ 31.01132.016 or later, 33.015 or later, 34.011 or later

CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - ControlLogix 5580 controllers: firmware≥ 31.01132.016 or later, 33.015 or later, 34.011 or later

CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - GuardLogix 5580 controllers: firmware≥ 31.01132.016 or later, 33.015 or later, 34.011 or later

CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - CompactLogix 5380 controllers: firmware≥ 31.01132.016 or later, 33.015 or later, 34.011 or later

CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - Compact GuardLogix 5380 controllers: firmware≥ 31.01132.016 or later, 33.015 or later, 34.011 or later

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict network access to Logix controllers using firewall rules; allow only engineering workstations and authorized devices to reach the controller ports

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CompactLogix 5380 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch

HOTFIXUpgrade Compact GuardLogix 5380 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch

HOTFIXUpgrade CompactLogix 5480 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch

HOTFIXUpgrade ControlLogix 5580 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch

HOTFIXUpgrade GuardLogix 5580 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch

Long-term hardening

0/2

HARDENINGEnsure Logix controllers are not directly accessible from your business network or the Internet; place them behind a firewall or on a segregated control network

HARDENINGApply Rockwell Automation security best practices for defense-in-depth, including segmentation, access controls, and monitoring

CVEs (1)

CVE-2022-3752

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/efe21d20-9865-49d5-9677-03a2f39f2dd5