Rockwell Automation ControlLogix and GuardLogix (Update A)

Plan PatchCVSS 8.6ICS-CERT ICSA-24-107-03Apr 16, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, and Compact GuardLogix 5380 controllers and the 1756-EN4TR Ethernet module results from improper input validation (CWE-20) in firmware versions V35.011. An attacker can send a specially crafted network message to trigger a major nonrecoverable fault (MNRF), causing the controller to become unavailable and requiring manual recovery. The vulnerability is remotely exploitable over EtherNet/IP without authentication.

What this means

What could happen

An attacker could trigger a major nonrecoverable fault in your ControlLogix, GuardLogix, or CompactLogix controller, causing it to shut down and stop all controlled processes until the device is manually recovered and rebooted.

Who's at risk

Water treatment and distribution authorities, electric utilities, and any facility running Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, Compact GuardLogix 5380, or their process variants. These PLCs are commonly used in SCADA systems, process control, and critical infrastructure automation.

How it could be exploited

An attacker with network access to your affected PLC or controller could send a specially crafted input message that triggers an unvalidated input handling condition, causing the controller to fault and become unavailable. No authentication is required if the device is reachable on your network.

Prerequisites

Network access to the affected Rockwell Automation controller on ports used by EtherNet/IP (typically 44818/TCP and UDP)
Device must be running one of the vulnerable firmware versions (V35.011)

remotely exploitableno authentication requiredlow complexityaffects safety systems (GuardLogix)causes system unavailability/denial of service

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

ControlLogix 5580: V35.011V35.01135.013 or V36.011

GuardLogix 5580: V35.011V35.01135.013 or V36.011

CompactLogix 5380: V35.011V35.01135.013 or V36.011

1756-EN4TR: V5.001V5.0016.001

Compact GuardLogix 5380: V35.011V35.01135.013

ControlLogix 5580 Process: V35.011V35.01135.013

CompactLogix 5380 Process: V35.011V35.01135.013

CompactLogix 5480: V35.011V35.01135.013

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDImplement network firewall rules to restrict EtherNet/IP access to your PLCs, allowing only engineering workstations and authorized systems

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5580 firmware to version V35.013 or V36.011 or later

HOTFIXUpdate GuardLogix 5580 firmware to version V35.013 or V36.011 or later

HOTFIXUpdate CompactLogix 5380 firmware to version V35.013 or V36.011 or later

HOTFIXUpdate CompactLogix 5480 firmware to version V35.013 or V36.011 or later

HOTFIXUpdate 1756-EN4TR Ethernet module firmware to version V6.001 or later

Long-term hardening

0/2

HARDENINGIsolate control system networks from business networks using air gaps, firewalls, or demilitarized zones

HARDENINGIf remote access to controllers is necessary, enforce VPN connections with current security patches and strong authentication

CVEs (1)

CVE-2024-3493

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5cbe8cf-9bb5-4885-a7e2-6dbbe83aee4f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.