Rockwell Automation Logix controllers
Plan PatchCVSS 8.6ICS-CERT ICSA-22-342-03Dec 8, 2022
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Rockwell Automation Logix controllers (CompactLogix 5380/5480, Compact GuardLogix 5380, ControlLogix 5580, GuardLogix 5580) in firmware version 31.011 and later allows an unauthenticated attacker to send a malformed packet that causes the controller to crash and become unavailable (denial-of-service). The vulnerability exists in input validation and does not require credentials or user interaction. Rockwell Automation has released patched firmware versions (32.016 or later, 33.015 or later, or 34.011 or later depending on the firmware branch).
What this means
What could happen
An attacker with network access could cause a denial-of-service condition on your Logix controller, stopping process execution and interrupting production until the device is rebooted or power-cycled.
Who's at risk
Water utilities, electric utilities, and any facility operating CompactLogix, Compact GuardLogix, ControlLogix, or GuardLogix 5380/5480/5580 controllers for pumping, power distribution, or process control. This affects mid-size municipal operations and industrial plants using Allen-Bradley PLC platforms.
How it could be exploited
An attacker on your network (or with routable access to your control network) sends a specially crafted packet to the Logix controller. The controller fails to validate the packet contents correctly, crashes, and becomes unavailable. This disrupts any automation processes controlled by that device.
Prerequisites
- Network reachability to the Logix controller on its service port (typically EtherNet/IP port 2222 or 44818)
- No authentication required
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for firmware versions 31.011 and laterHigh CVSS score (8.6)Affects critical control devices
Exploitability
Some exploitation risk — EPSS score 1.5%
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - CompactLogix 5480 controllers: firmware≥ 31.01132.016+, 33.015+, 34.011+
CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - ControlLogix 5580 controllers: firmware≥ 31.01132.016+, 33.015+, 34.011+
CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - GuardLogix 5580 controllers: firmware≥ 31.01132.016+, 33.015+, 34.011+
CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - CompactLogix 5380 controllers: firmware≥ 31.01132.016+, 33.015+, 34.011+
CompactLogix, Compact GuardLogix, ControlLogix, and GuardLogix controllers - Compact GuardLogix 5380 controllers: firmware≥ 31.01132.016+, 33.015+, 34.011+
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict network access to Logix controllers using firewall rules; allow only engineering workstations and authorized devices to reach the controller ports
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpgrade CompactLogix 5380 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch
HOTFIXUpgrade Compact GuardLogix 5380 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch
HOTFIXUpgrade CompactLogix 5480 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch
HOTFIXUpgrade ControlLogix 5580 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch
HOTFIXUpgrade GuardLogix 5580 controllers to firmware version 32.016 or later, 33.015 or later, or 34.011 or later depending on current firmware branch
Long-term hardening
0/2HARDENINGEnsure Logix controllers are not directly accessible from your business network or the Internet; place them behind a firewall or on a segregated control network
HARDENINGApply Rockwell Automation security best practices for defense-in-depth, including segmentation, access controls, and monitoring
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/efe21d20-9865-49d5-9677-03a2f39f2dd5Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.