Rockwell ArmorStart

Monitor7ICS-CERT ICSA-23-136-02May 18, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Rockwell ArmorStart devices (ST280E, ST281E, ST284E) contain input validation vulnerabilities in the web interface. Successful exploitation allows a malicious user to view and modify sensitive data or make the web page unavailable.

What this means

What could happen

An attacker with local access to an ArmorStart device could view or modify configuration data, or disable the web interface, potentially disrupting access to soft starter control and diagnostics.

Who's at risk

Electrical contractors and plant engineers using Rockwell ArmorStart soft starters (ST280E, ST281E, ST284E models) for motor control in water pumping stations, HVAC systems, or other industrial motor applications. Risk is highest during commissioning or maintenance windows when the web server is enabled.

How it could be exploited

An attacker must interact with the device's web interface locally (likely via USB or direct Ethernet connection on the device). The vulnerability involves input validation failures in web requests, allowing an attacker to submit malformed input to read or alter device configuration without authentication.

Prerequisites

Local network access to the device's web interface (typically enabled only during commissioning)
Web server must be enabled on the device (disabled by default)

No patch availableLocal attack vector onlyWeb server disabled by default (reduces attack surface)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

ArmorStart ST281E: >= 2.004.06≥ 2.004.06No fix (EOL)

ArmorStart ST280E: *All versionsNo fix (EOL)

ArmorStart ST284E: *All versionsNo fix (EOL)

Remediation & Mitigation

0/2

Do now

0/1

WORKAROUNDDisable the web server on all ArmorStart devices during normal operation. Enable only when modifying configurations, then disable immediately after.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ArmorStart ST281E: >= 2.004.06, ArmorStart ST280E: *, ArmorStart ST284E: *. Apply the following compensating controls:

HARDENINGFollow Rockwell Automation's System Security Design Guidelines (SECURE-RM001) and Configure System Security Features User Manual (SECURE-UM001) to implement network segmentation and access controls around ArmorStart devices.

CVEs (10)

CVE-2023-29031 CVE-2023-29030 CVE-2023-29023 CVE-2023-29024 CVE-2023-29025 CVE-2023-29026 CVE-2023-29027 CVE-2023-29028 CVE-2023-29029 CVE-2023-29022

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cdf2c7fd-eaee-46e1-a718-e45231a2fda8