Rockwell Automation Select Communication Modules

Act Now9.8ICS-CERT ICSA-23-193-01Jul 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability (CWE-787) in Rockwell Automation Select Communication Modules allows unauthenticated remote attackers to gain access to and modify the running memory of the module. The vulnerability exists in multiple EN2, EN3, and EN4 series Ethernet communication modules with firmware versions up to 5.028 (Series A/B/C) and 11.003 (Series D variants), and 5.001 (EN4 series). Exploitation requires only network connectivity to the module and no valid credentials, allowing an attacker to read sensitive data, inject malicious commands, or disrupt control system communication.

What this means

What could happen

An attacker with network access to these communication modules could read or modify running memory, potentially altering control logic, stealing sensitive process data, or disrupting communications between your PLC and connected devices in the plant.

Who's at risk

Water utilities and municipal electric facilities using CompactLogix or ControlLogix PLCs with Rockwell Automation EN2 or EN3/EN4 series Ethernet communication modules. These modules serve as the primary network gateway for remote monitoring, SCADA integration, and inter-PLC communication. Affected models support various protocols including EtherNet/IP, Modbus TCP, and are deployed in pump stations, treatment plants, distribution control centers, and substations.

How it could be exploited

An attacker sends a specially crafted network packet to the communication module (port 2222 or similar Ethernet module port). The module processes the malformed data due to an out-of-bounds write vulnerability, allowing the attacker to read or write arbitrary memory. No authentication is required, and the attacker does not need to interact with the PLC engineering software.

Prerequisites

Network access to the communication module on its management or data port (port 2222 or configured Ethernet port)
No credentials required

Remotely exploitable from any network-connected deviceNo authentication requiredLow complexity attackHigh EPSS score (32.1%)Affects critical infrastructure communication modulesOut-of-bounds write allows memory corruption and code execution

Exploitability

High exploit probability (EPSS 32.1%)

Affected products (58)

58 with fix

ProductAffected VersionsFix Status

1756-EN2T Series A: <= 5.008≤ 5.0085.029

1756-EN2T Series A: <= 5.028≤ 5.0285.029

1756-EN2T Series B: <= 5.008≤ 5.0085.029

1756-EN2T Series B: <= 5.028≤ 5.0285.029

1756-EN2T Series C: <= 5.008≤ 5.0085.029

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict network access to communication module management ports using industrial firewall rules; limit traffic to authorized engineering workstations and control networks only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F Series A/B firmware to version 5.029 or later (signed versions recommended)

HOTFIXUpdate 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F Series C firmware to version 11.004 or later

HOTFIXUpdate 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT Series A firmware to version 11.004 or later

HOTFIXUpdate 1756-EN3TR, 1756-EN3TRK Series A firmware to version 5.029 or later

HOTFIXUpdate 1756-EN3TR, 1756-EN3TRK Series B firmware to version 11.004 or later

HOTFIXUpdate 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT Series A firmware to version 5.002 or later

Long-term hardening

0/1

HARDENINGSegment communication modules onto separate VLANs or subnets isolated from untrusted networks and the internet

CVEs (2)

CVE-2023-3595 CVE-2023-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7d53484c-2cde-46ee-b664-07fb00132a0b