OTPulse
FeedAboutContact

Rockwell Automation ControlLogix, GuardLogix, and CompactLogix

Plan Patch7.4ICS-CERT ICSA-24-163-01Jun 11, 2024
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial-of-service vulnerability in Rockwell Automation ControlLogix, GuardLogix, and CompactLogix controllers running firmware V34.011 and earlier allows an unauthenticated attacker on the local network to send a specially crafted packet via mDNS (multicast DNS, port 5353) that causes the device to become unresponsive. The vulnerability affects all ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, Compact GuardLogix 5380, and CompactLogix 5480 series controllers at the vulnerable version level, as well as the 1756-EN4 Ethernet module at V4.001. Successful exploitation results in loss of availability—the device stops responding to legitimate commands and operations until manually restarted. No public exploitation has been reported, but the vulnerability is remotely triggerable on any local-network-attached device.

What this means
What could happen
An attacker on the local network could disrupt the availability of your PLC or CompactLogix controllers, potentially stopping normal process execution or industrial operations until the device is restarted or reboot is forced.
Who's at risk
Water authorities and electric utilities operating Rockwell Automation ControlLogix, GuardLogix, or CompactLogix controllers in firmware versions V34.011 or earlier are affected. Impact extends to any facility using 1756-EN4 network modules at V4.001. All industrial sites with these PLCs should review affected versions immediately.
How it could be exploited
An attacker with layer 2 (ARP/local network) access sends a specially crafted packet to the device, triggering a denial-of-service condition that causes the device to become unresponsive. No authentication is required; the attack works against any device on the same subnet that uses mDNS discovery.
Prerequisites
  • Layer 2 network access (same subnet/VLAN as the affected device)
  • Device using mDNS for discovery (default behavior unless APD is enabled)
  • Affected firmware version (V34.011 or earlier without patch)
No authentication requiredLayer 2 network access (local subnet attacker)Low complexity attackNo patch available for affected versions (workarounds required)Availability impact (denial of service)
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
GuardLogix 5580: V34.011V34.011V34.014, V35.013, V36.011 or later
1756-EN4: V4.001V4.001V6.001 or later
CompactLogix 5380: V34.011V34.011V34.014, V35.013, V36.011 or later
CompactLogix 5480: V34.011V34.011V34.014, V35.013, V36.011 or later
ControlLogix 5580: V34.011V34.011V34.014, V35.013, V36.011 or later
Compact GuardLogix 5380: V34.011V34.011V34.014, V35.013, V36.011 or later
Remediation & Mitigation
0/10
Do now
0/2
WORKAROUNDBlock mDNS port 5353 inbound at the network edge or firewall if Automatic Policy Deployment is not enabled
HARDENINGEnable CIP Security on all affected devices per Rockwell Automation's CIP Security with Products Application Technique guidance
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ControlLogix 5580 to V34.014, V35.013, V36.011 or later
HOTFIXUpgrade GuardLogix 5580 to V34.014, V35.013, V36.011 or later
HOTFIXUpgrade 1756-EN4 to V6.001 or later
HOTFIXUpgrade CompactLogix 5380 to V34.014, V35.013, V36.011 or later
HOTFIXUpgrade Compact GuardLogix 5380 to V34.014, V35.013, V36.011 or later
HOTFIXUpgrade CompactLogix 5480 to V34.014, V35.013, V36.011 or later
Long-term hardening
0/2
HARDENINGIsolate control system networks behind firewalls, ensuring devices are not reachable from the business network or internet
HARDENINGRestrict layer 2 network access to control system PLCs using network segmentation and VLANs where appropriate
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7eb46438-67f3-46e8-849c-df56fb23e69e