Rockwell Automation ControlLogix and GuardLogix (Update A)
Plan Patch8.6ICS-CERT ICSA-24-107-03Apr 16, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, and Compact GuardLogix 5380 controllers and the 1756-EN4TR Ethernet module results from improper input validation (CWE-20) in firmware versions V35.011. An attacker can send a specially crafted network message to trigger a major nonrecoverable fault (MNRF), causing the controller to become unavailable and requiring manual recovery. The vulnerability is remotely exploitable over EtherNet/IP without authentication.
What this means
What could happen
An attacker could trigger a major nonrecoverable fault in your ControlLogix, GuardLogix, or CompactLogix controller, causing it to shut down and stop all controlled processes until the device is manually recovered and rebooted.
Who's at risk
Water treatment and distribution authorities, electric utilities, and any facility running Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, Compact GuardLogix 5380, or their process variants. These PLCs are commonly used in SCADA systems, process control, and critical infrastructure automation.
How it could be exploited
An attacker with network access to your affected PLC or controller could send a specially crafted input message that triggers an unvalidated input handling condition, causing the controller to fault and become unavailable. No authentication is required if the device is reachable on your network.
Prerequisites
- Network access to the affected Rockwell Automation controller on ports used by EtherNet/IP (typically 44818/TCP and UDP)
- Device must be running one of the vulnerable firmware versions (V35.011)
remotely exploitableno authentication requiredlow complexityaffects safety systems (GuardLogix)causes system unavailability/denial of service
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
ControlLogix 5580: V35.011V35.01135.013 or V36.011
GuardLogix 5580: V35.011V35.01135.013 or V36.011
CompactLogix 5380: V35.011V35.01135.013 or V36.011
1756-EN4TR: V5.001V5.0016.001
Compact GuardLogix 5380: V35.011V35.01135.013
ControlLogix 5580 Process: V35.011V35.01135.013
CompactLogix 5380 Process: V35.011V35.01135.013
CompactLogix 5480: V35.011V35.01135.013
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDImplement network firewall rules to restrict EtherNet/IP access to your PLCs, allowing only engineering workstations and authorized systems
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate ControlLogix 5580 firmware to version V35.013 or V36.011 or later
HOTFIXUpdate GuardLogix 5580 firmware to version V35.013 or V36.011 or later
HOTFIXUpdate CompactLogix 5380 firmware to version V35.013 or V36.011 or later
HOTFIXUpdate CompactLogix 5480 firmware to version V35.013 or V36.011 or later
HOTFIXUpdate 1756-EN4TR Ethernet module firmware to version V6.001 or later
Long-term hardening
0/2HARDENINGIsolate control system networks from business networks using air gaps, firewalls, or demilitarized zones
HARDENINGIf remote access to controllers is necessary, enforce VPN connections with current security patches and strong authentication
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f5cbe8cf-9bb5-4885-a7e2-6dbbe83aee4f