OTPulse
FeedAboutContact

Rockwell Automation Select Distributed I/O Communication Modules

Plan Patch8.6ICS-CERT ICSA-23-236-06Aug 24, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial-of-service vulnerability exists in Rockwell Automation distributed I/O communication modules due to improper input validation (CWE-787 out-of-bounds write). An unauthenticated attacker on the network can send a specially crafted packet to cause the module to crash and stop responding. The vulnerability affects 1734-AENT/AENTR, 1738-AENT/AENTR, 1794-AENTR, 1732E series, and 1799ER-IQ10XOQ10 modules used in CompactLogix and ControlLogix systems. Successful exploitation results in loss of communication with field devices connected through the affected module, disrupting sensor data acquisition and control commands until the module is manually restarted.

What this means
What could happen
An attacker could crash these I/O communication modules by sending a specially crafted packet, causing them to stop responding and disrupting sensor input or control output to your PLC.
Who's at risk
Water utilities and electric utilities using Rockwell Automation distributed I/O modules for remote terminal units (RTUs), pump control, substation monitoring, or field instrumentation. Specifically affects CompactLogix and ControlLogix systems using 1734-AENT, 1738-AENT, 1794-AENTR, 1732E, and 1799ER I/O adapters for Ethernet connectivity.
How it could be exploited
An attacker with network access to the affected module could send a malformed message to port 502 (Modbus TCP) or the EtherNet/IP port (typically 2222 or 44818). The module fails to properly validate the packet and crashes, becoming unresponsive until manually restarted.
Prerequisites
  • Network access to the I/O module's EtherNet/IP or Modbus TCP port
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects availability of distributed I/Oaffects critical instrumentation networks
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (17)
17 with fix
ProductAffected VersionsFix Status
1734-AENT/1734-AENTR Series C: <= 7.011≤ 7.0117.013
1734-AENT/1734-AENTR Series B: <= 5.019≤ 5.0195.021
1738-AENT/ 1738-AENTR Series B: <= 6.011≤ 6.0116.013
1794-AENTR Series A: <= 2.011≤ 2.0112.012
1732E-16CFGM12QCWR Series A: <= 3.011≤ 3.0113.012
Remediation & Mitigation
0/7
Do now
0/1
HARDENINGRestrict network access to I/O modules using firewall rules or network segmentation—limit EtherNet/IP and Modbus TCP traffic to only authorized engineering workstations and control systems
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade 1734-AENT/1734-AENTR Series C to firmware version 7.013 or later
HOTFIXUpgrade 1734-AENT/1734-AENTR Series B to firmware version 5.021 or later
HOTFIXUpgrade 1738-AENT/1738-AENTR Series B to firmware version 6.013 or later
HOTFIXUpgrade 1794-AENTR Series A to firmware version 2.012 or later
HOTFIXUpgrade 1732E series (all variants) to firmware version 3.012 or later
HOTFIXUpgrade 1799ER-IQ10XOQ10 Series B to firmware version 3.012 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/38fc6cd9-7b64-438b-81ca-ad034b76770a
Rockwell Automation Select Distributed I/O Communication Modules | CVSS 8.6 - OTPulse