Rockwell Automation Select Distributed I/O Communication Modules

Plan PatchCVSS 8.6ICS-CERT ICSA-23-236-06Aug 24, 2023

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Rockwell Automation distributed I/O communication modules due to improper input validation (CWE-787 out-of-bounds write). An unauthenticated attacker on the network can send a specially crafted packet to cause the module to crash and stop responding. The vulnerability affects 1734-AENT/AENTR, 1738-AENT/AENTR, 1794-AENTR, 1732E series, and 1799ER-IQ10XOQ10 modules used in CompactLogix and ControlLogix systems. Successful exploitation results in loss of communication with field devices connected through the affected module, disrupting sensor data acquisition and control commands until the module is manually restarted.

What this means

What could happen

An attacker could crash these I/O communication modules by sending a specially crafted packet, causing them to stop responding and disrupting sensor input or control output to your PLC.

Who's at risk

Water utilities and electric utilities using Rockwell Automation distributed I/O modules for remote terminal units (RTUs), pump control, substation monitoring, or field instrumentation. Specifically affects CompactLogix and ControlLogix systems using 1734-AENT, 1738-AENT, 1794-AENTR, 1732E, and 1799ER I/O adapters for Ethernet connectivity.

How it could be exploited

An attacker with network access to the affected module could send a malformed message to port 502 (Modbus TCP) or the EtherNet/IP port (typically 2222 or 44818). The module fails to properly validate the packet and crashes, becoming unresponsive until manually restarted.

Prerequisites

Network access to the I/O module's EtherNet/IP or Modbus TCP port
No authentication required

remotely exploitableno authentication requiredlow complexityaffects availability of distributed I/Oaffects critical instrumentation networks

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (17)

17 with fix

ProductAffected VersionsFix Status

1734-AENT/1734-AENTR Series C: <= 7.011≤ 7.0117.013

1734-AENT/1734-AENTR Series B: <= 5.019≤ 5.0195.021

1738-AENT/ 1738-AENTR Series B: <= 6.011≤ 6.0116.013

1794-AENTR Series A: <= 2.011≤ 2.0112.012

1732E-16CFGM12QCWR Series A: <= 3.011≤ 3.0113.012

Remediation & Mitigation

0/7

Do now

0/1

HARDENINGRestrict network access to I/O modules using firewall rules or network segmentation—limit EtherNet/IP and Modbus TCP traffic to only authorized engineering workstations and control systems

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade 1734-AENT/1734-AENTR Series C to firmware version 7.013 or later

HOTFIXUpgrade 1734-AENT/1734-AENTR Series B to firmware version 5.021 or later

HOTFIXUpgrade 1738-AENT/1738-AENTR Series B to firmware version 6.013 or later

HOTFIXUpgrade 1794-AENTR Series A to firmware version 2.012 or later

HOTFIXUpgrade 1732E series (all variants) to firmware version 3.012 or later

HOTFIXUpgrade 1799ER-IQ10XOQ10 Series B to firmware version 3.012 or later

CVEs (1)

CVE-2022-1737

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/38fc6cd9-7b64-438b-81ca-ad034b76770a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.