Rockwell Automation Logix Controllers

Plan PatchCVSS 8.4ICS-CERT ICSA-24-214-09Aug 1, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Rockwell Automation Logix controllers contain a vulnerability allowing authenticated attackers to execute arbitrary CIP (Common Industrial Protocol) programming and configuration commands. This could permit modification of process logic, alteration of setpoints, or disabling of safety functions on affected ControlLogix 5580, GuardLogix 5580, and 1756-EN series network adapter modules. The vulnerability requires valid engineering credentials and network access to the controller. Several older hardware series (A versions) have no patch available and require hardware upgrade to Series D.

What this means

What could happen

An attacker with valid controller credentials and network access could execute arbitrary CIP programming and configuration commands on affected Logix controllers, potentially altering process setpoints, disabling safety functions, or stopping production.

Who's at risk

Water utilities and electric utilities operating Logix-based process control systems, particularly those using ControlLogix 5580 (1756-L8z), GuardLogix 5580 (1756-L8zS), or 1756-EN series network adapters. Any facility relying on these controllers for water treatment, distribution, wastewater operations, or power generation/distribution should assess their equipment inventory.

How it could be exploited

An attacker with legitimate engineering credentials gains network access to a Logix controller and sends CIP (Common Industrial Protocol) commands that bypass intended restrictions. The attacker can then modify PLC logic, alter process parameters, or disable safety interlocks without proper authorization checks.

Prerequisites

Valid engineering workstation credentials (username/password or certificate)
Network access to the Logix controller on port 2222 (default EtherNet/IP) or configured CIP port
Controller not in RUN mode (mode switch in RUN position blocks CIP commands)

Remotely exploitable (network access)Requires valid credentialsMedium complexity exploitationNo patch available for Series A hardware variantsAffects industrial control logic and safety systemsHigh CVSS score (8.4)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (16)

3 with fix13 pending

ProductAffected VersionsFix Status

ControlLogix 5580 (1756-L8z): V28V28V32.016, V33.015, V34.014, V35.011+

GuardLogix 5580 (1756-L8zS): V31V31V32.016, V33.015, V34.014, V35.011+

1756-EN4TR: V2V2V5.001+

1756-EN2T, Series A/B/C (unsigned version): v5.007v5.007No fix yet

1756-EN2F, Series A/B (unsigned version): v5.007v5.007No fix yet

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDSet the mode switch on all Logix controllers to RUN position to prevent CIP programming and configuration commands

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

ControlLogix 5580 (1756-L8z): V28

HOTFIXUpdate ControlLogix 5580 (1756-L8z) to firmware version V32.016, V33.015, V34.014, V35.011 or later

HOTFIXUpdate GuardLogix 5580 (1756-L8zS) to firmware version V32.016, V33.015, V34.014, V35.011 or later

All products

HOTFIXUpdate 1756-EN4TR network adapter to firmware version V5.001 or later

HOTFIXUpdate 1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series B, and 1756-EN2TP Series A to firmware version V12.001 or later

HOTFIXFor 1756-EN2T/EN2F/EN2TR/EN3TR Series A products: upgrade to Series D hardware to obtain patched firmware

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate Logix controllers from business networks and internet exposure

HARDENINGDeploy firewall rules to restrict network access to Logix controllers, allowing only authorized engineering workstations

HARDENINGFor remote access scenarios, implement VPN with current security patches and restrict to minimal necessary personnel

CVEs (1)

CVE-2024-6242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4ac69348-146d-4e10-a8f6-161cb92e10f5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.