Rockwell Automation GuardLogix/ControlLogix 5580 Controller

Plan Patch7.5ICS-CERT ICSA-24-226-03Aug 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability (CWE-754) exists in ControlLogix 5580 and GuardLogix 5580 controllers running firmware version 34.011 or later. An attacker can send a specially crafted message to the controller, causing it to crash and stop responding. This prevents the device from controlling connected machinery or processes until manually restarted. The vulnerability requires only network access and no authentication.

What this means

What could happen

An attacker could crash the ControlLogix or GuardLogix 5580 controller, causing loss of control over connected machinery and process interruption until the device is manually restarted.

Who's at risk

Manufacturing, water utilities, and electric utilities that use Rockwell Automation ControlLogix 5580 or GuardLogix 5580 programmable logic controllers (PLCs) for process control should assess their exposure. GuardLogix is particularly relevant if used in safety-critical applications.

How it could be exploited

An attacker with network access to the controller sends a specially crafted packet or command that triggers an unhandled exception in the firmware, causing the device to stop responding. No authentication is required.

Prerequisites

Network access to the ControlLogix 5580 or GuardLogix 5580 controller (typically port 2222 for EtherNet/IP or local network access)
Device running firmware version 34.011 or later but earlier than 34.014

Remotely exploitable over the networkNo authentication requiredLow complexity attackAffects safety systems (GuardLogix)Affects critical infrastructure (water, power)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

ControlLogix 5580: >=v34.011≥ v34.01134.014 and later

GuardLogix 5580: >=v34.011≥ v34.01134.014 and later

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to the controllers by placing them behind a firewall and disabling unnecessary ports and services

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5580 firmware to version 34.014 or later

HOTFIXUpdate GuardLogix 5580 firmware to version 34.014 or later

Long-term hardening

0/1

HARDENINGIsolate the control system network from the business network using network segmentation or air-gapping

CVEs (1)

CVE-2024-40619

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bf6d66a2-850a-4172-ab24-5eaa03e365aa