OTPulse

Rockwell Automation Select Communication Modules

Act NowCVSS 9.8ICS-CERT ICSA-23-193-01Jul 12, 2023
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow vulnerability (CWE-787) in Rockwell Automation Select Communication Modules allows unauthenticated remote attackers to gain access to and modify the running memory of the module. The vulnerability exists in multiple EN2, EN3, and EN4 series Ethernet communication modules with firmware versions up to 5.028 (Series A/B/C) and 11.003 (Series D variants), and 5.001 (EN4 series). Exploitation requires only network connectivity to the module and no valid credentials, allowing an attacker to read sensitive data, inject malicious commands, or disrupt control system communication.

What this means
What could happen
An attacker with network access to these communication modules could read or modify running memory, potentially altering control logic, stealing sensitive process data, or disrupting communications between your PLC and connected devices in the plant.
Who's at risk
Water utilities and municipal electric facilities using CompactLogix or ControlLogix PLCs with Rockwell Automation EN2 or EN3/EN4 series Ethernet communication modules. These modules serve as the primary network gateway for remote monitoring, SCADA integration, and inter-PLC communication. Affected models support various protocols including EtherNet/IP, Modbus TCP, and are deployed in pump stations, treatment plants, distribution control centers, and substations.
How it could be exploited
An attacker sends a specially crafted network packet to the communication module (port 2222 or similar Ethernet module port). The module processes the malformed data due to an out-of-bounds write vulnerability, allowing the attacker to read or write arbitrary memory. No authentication is required, and the attacker does not need to interact with the PLC engineering software.
Prerequisites
  • Network access to the communication module on its management or data port (port 2222 or configured Ethernet port)
  • No credentials required
Remotely exploitable from any network-connected deviceNo authentication requiredLow complexity attackHigh EPSS score (32.1%)Affects critical infrastructure communication modulesOut-of-bounds write allows memory corruption and code execution
Exploitability
Likely to be exploited — EPSS score 38.8%
Affected products (58)
58 with fix
ProductAffected VersionsFix Status
1756-EN2T Series A: <= 5.008≤ 5.0085.029
1756-EN2T Series A: <= 5.028≤ 5.0285.029
1756-EN2T Series B: <= 5.008≤ 5.0085.029
1756-EN2T Series B: <= 5.028≤ 5.0285.029
1756-EN2T Series C: <= 5.008≤ 5.0085.029
Remediation & Mitigation
0/8
Do now
0/1
WORKAROUNDRestrict network access to communication module management ports using industrial firewall rules; limit traffic to authorized engineering workstations and control networks only
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F Series A/B firmware to version 5.029 or later (signed versions recommended)
HOTFIXUpdate 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F Series C firmware to version 11.004 or later
HOTFIXUpdate 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT Series A firmware to version 11.004 or later
HOTFIXUpdate 1756-EN3TR, 1756-EN3TRK Series A firmware to version 5.029 or later
HOTFIXUpdate 1756-EN3TR, 1756-EN3TRK Series B firmware to version 11.004 or later
HOTFIXUpdate 1756-EN4TR, 1756-EN4TRK, 1756-EN4TRXT Series A firmware to version 5.002 or later
Long-term hardening
0/1
HARDENINGSegment communication modules onto separate VLANs or subnets isolated from untrusted networks and the internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/7d53484c-2cde-46ee-b664-07fb00132a0b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.