Rockwell Automation products using GoAhead Web Server
Act Now9.8ICS-CERT ICSA-23-026-06Jan 26, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Rockwell Automation products using the GoAhead Web Server contain vulnerabilities (CWE-835 infinite loop and CWE-416 use-after-free) that allow unauthenticated remote attackers to execute arbitrary code, read sensitive information, or cause denial of service. Affected products include CompactLogix 5380/5480, ControlLogix 5580, GuardLogix 5580, Compact GuardLogix 5380 controllers, 1756-EN2T/D, 1756-EN2TR/C, 1756-EN2F/C, 1756-EN2TP/A ethernet modules, 1756-HIST data logging modules, 1769-AENTR, 1747-AENTR, 5069-AEN2TR, and 1732E I/O modules. The vulnerabilities are exploitable through unauthenticated HTTP requests with low attack complexity. No public exploits are currently known, but the high EPSS score (77.4%) indicates significant exploitation risk.
What this means
What could happen
An attacker on the network could remotely take control of affected Rockwell Automation controllers and I/O modules, potentially altering process logic, changing setpoints, or halting production without authentication. This affects any industrial control system or data collection device relying on these products for process automation or monitoring.
Who's at risk
Water authorities and electric utilities using Rockwell Automation CompactLogix, ControlLogix, or GuardLogix controllers (5380, 5480, 5580 series), as well as facilities using 1756-EN2T/D, 1756-EN2TR/C, 1756-EN2F/C, 1756-EN2TP/A ethernet cards, 1756-HIST data logging modules, or 1732E I/O modules. Any organization relying on these devices for critical process automation or SCADA data collection is affected.
How it could be exploited
An attacker sends a crafted HTTP request to the GoAhead Web Server running on an affected device (port 80). The vulnerability allows unauthenticated command execution or memory corruption, giving the attacker full control of the device. Once compromised, the attacker can modify ladder logic, steal configuration data, or stop the controller from operating.
Prerequisites
- Network reachability to HTTP port 80 on the affected device
- No authentication required
- Device must be running a vulnerable firmware version with web server enabled
remotely exploitableno authentication requiredlow attack complexityhigh EPSS score (77.4%)no patch available for many legacy productsaffects critical control system devices
Exploitability
High exploit probability (EPSS 77.4%)
Affected products (28)
28 pending
ProductAffected VersionsFix Status
Products using GoAhead Web Server: 1732E-8CFGM8R/A: firmware1.012No fix yet
Products using GoAhead Web Server: 1732E-IF4M12R/A (discontinued): firmware1.012No fix yet
Products using GoAhead Web Server: 1732E-IR4IM12R/A: firmware1.012No fix yet
Products using GoAhead Web Server: 1732E-IT4IM12R/A: firmware1.012No fix yet
Products using GoAhead Web Server: 1732E-OF4M12R/A: firmware1.012No fix yet
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDisable the web server on affected devices if firmware update is not immediately possible. Consult product user manual for disabling instructions.
WORKAROUNDConfigure firewall rules to block HTTP traffic (port 80) to all affected devices from untrusted networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate firmware to patched versions: 1769-AENTR to v1.003+, 1756-EN2T/D to v11.002+, 1756-EN2TR/C to v11.002+, 1756-EN2F/C to v11.002+, 1756-EN2TP/A to v11.002+, 1756-HIST2G/B to v5.104+, ControlLogix/GuardLogix 5580 to V32.016+, CompactLogix 5380/5480 to V32.016+
HOTFIXFor 1732E-series devices without patch availability, upgrade to latest available firmware version to gain web server disable capability
Long-term hardening
0/2HARDENINGSegment control system networks from business networks and Internet-facing systems. Ensure no affected devices are reachable from the Internet or untrusted network segments.
HARDENINGFor remote access scenarios, implement VPN access with multi-factor authentication and keep VPN appliances fully patched
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3f252053-144c-43b1-a75d-feca3ed2b178