Rockwell Automation Select Logix Communication Modules

Act Now9.8ICS-CERT ICSA-23-264-04Sep 21, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability (CWE-121) exists in Rockwell Automation EtherNet/IP communication modules. An unauthenticated attacker on the network can send a specially crafted EtherNet/IP packet that causes memory corruption and allows arbitrary code execution on the affected module. The vulnerability affects numerous 1756-EN2 and 1756-EN3 series communication modules across firmware versions 5.008, 5.028, and 11.002 and earlier.

What this means

What could happen

An attacker with network access to these communication modules could run arbitrary code on them, potentially disrupting network traffic between your PLC and other equipment, causing process interruptions or equipment malfunction.

Who's at risk

Facilities using Rockwell Automation CompactLogix and ControlLogix systems with 1756-EN2T, EN2TK, EN2TXT, EN2TR, EN2TRK, EN2TRXT, EN2F, EN2FK, EN3TR, or EN3TRK EtherNet/IP communication modules. This affects manufacturing plants, water treatment systems, electric utilities, and any facility using these modules for network-based control.

How it could be exploited

An attacker on your network sends a crafted packet to the EtherNet/IP port (44818) on a vulnerable communication module. The module parses the packet without proper bounds checking, causing a buffer overflow. The attacker's code executes with module privileges, giving control over network communications and potentially the PLC itself.

Prerequisites

Network access to EtherNet/IP port (44818) on the communication module
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects multiple series and versions

Exploitability

Moderate exploit probability (EPSS 4.5%)

Affected products (55)

55 with fix

ProductAffected VersionsFix Status

1756-EN2T Series A: <= 5.008≤ 5.0085.009 and 5.029

1756-EN2T Series A: 5.0285.0285.009 and 5.029

1756-EN2T Series B: <= 5.008≤ 5.0085.009 and 5.029

1756-EN2TRXT Series A: <= 5.008≤ 5.0085.009 and 5.029

1756-EN2TRXT Series A: 5.0285.0285.009 and 5.029

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict traffic to SMTP port 25 if email functionality is not required

WORKAROUNDDisable the email object on EN2/EN3 firmware version 10.x and higher if email functionality is not needed

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, and 1756-EN3TRK communication modules to fixed firmware versions (5.009/5.029 for v5.x series; 11.003 for v11.x series)

Long-term hardening

0/2

HARDENINGSegment control system network behind firewall; restrict EtherNet/IP traffic from untrusted networks

HARDENINGDo not allow direct internet access to communication modules; use VPN or secure jump hosts for remote engineering access

CVEs (1)

CVE-2023-2262

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ed29cd4-cef5-457a-bf72-8b5c12eec504