Rockwell Automation ControlLogix and GuardLogix

Plan PatchCVSS 8.6ICS-CERT ICSA-24-030-05Jan 30, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Rockwell Automation ControlLogix 5570 and GuardLogix 5570 programmable logic controllers. The flaw allows an attacker with network access to send a specially crafted packet that crashes the device by triggering a buffer overflow (CWE-119). The affected firmware versions are ControlLogix 5570 v20.011, ControlLogix 5570 Redundancy v20.054_kit1, and GuardLogix 5570 v20.011. Exploitation causes the PLC to stop responding and requires manual restart to restore operations. No user interaction or credentials are required; the attacker needs only network reachability to the device.

What this means

What could happen

An attacker with network access to an affected ControlLogix or GuardLogix PLC could send a crafted packet to crash the device, causing a denial of service and stopping automated process control until the device is manually restarted.

Who's at risk

Water treatment plants, municipal electric utilities, and other critical infrastructure operators running Rockwell Automation ControlLogix 5570 or GuardLogix 5570 PLCs should care about this vulnerability. It affects programmable logic controllers used to automate pump stations, treatment processes, distribution systems, and safety functions. Any facility using these devices for process automation is at risk.

How it could be exploited

An attacker on the same network segment or with routed access to the PLC sends a malformed packet that triggers a buffer overflow or out-of-bounds memory access in the firmware. The PLC crashes and stops responding to control commands. No user interaction or prior authentication is needed.

Prerequisites

Network access to the PLC on its control port (typically port 2222 for EtherNet/IP)
The PLC must be running one of the affected firmware versions (v20.011 or earlier)

remotely exploitableno authentication requiredlow complexity attackcauses denial of service to critical control devicesaffects safety-related systems (GuardLogix)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

GuardLogix 5570: Firmware__20.011Firmware 20.011v33.016, v34.013, v35.012, v36.011+

ControlLogix 5570: Firmware__20.011Firmware 20.011v33.016, v34.013, v35.012, v36.011+

ControlLogix 5570 redundant: Firmware__20.054_kit1Firmware 20.054 kit1v33.016, v34.013, v35.012, v36.011+

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to PLCs using firewall rules; allow only engineering workstations and control network traffic to reach the device

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5570 firmware to v33.016, v34.013, v35.012, v36.011 or later

HOTFIXUpdate ControlLogix 5570 Redundancy firmware to v33.053_kit1, v34.052_kit1, v35.052_kit1, v36.051_kit1 or later

HOTFIXUpdate GuardLogix 5570 firmware to v33.016, v34.013, v35.012, v36.011 or later

Long-term hardening

0/2

HARDENINGIsolate control system network from corporate/business network using a firewall or network segmentation

HARDENINGEnsure PLCs are not reachable from the internet or untrusted networks

CVEs (1)

CVE-2024-21916

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d986bf99-ecae-4b4a-84e9-04837e7c9b7b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.