Rockwell Automation Micro850/870

Monitor5.3ICS-CERT ICSA-24-226-07Aug 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Micro850/870 PLC contains a flaw (CWE-400: Uncontrolled Resource Consumption) in how it handles network traffic on CIP and Modbus protocols. An unauthenticated remote attacker can send crafted packets that cause the communication protocols to stop responding for a short time, disrupting the device's ability to exchange data with the SCADA system or other networked devices. This affects firmware versions before v22.011. Rockwell Automation has released firmware v22.011 as a fix.

What this means

What could happen

An attacker could disrupt communication between your Micro850/870 PLC and your SCADA system or other devices via CIP or Modbus protocols, potentially causing loss of visibility or control of process parameters for the duration of the attack.

Who's at risk

Manufacturing facilities using Rockwell Automation Micro850 or Micro870 PLCs for process control, particularly those relying on CIP or Modbus communication to monitor or command the controllers should assess their exposure. This includes discrete manufacturing, water/wastewater treatment, and power generation sites that depend on these controllers for critical process operations.

How it could be exploited

An attacker with network access to the Micro850/870 device can send a specially crafted network packet that triggers a denial-of-service condition, interrupting the CIP or Modbus communication channels the PLC uses to talk to your control system.

Prerequisites

Network access to the Micro850/870 PLC on port 2222 (CIP) or port 502 (Modbus)
No credentials required
Device must be running firmware version earlier than v22.011

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for older unsupported versions

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

PLC - Micro850/870 (2080 -L50E/2080 -L70E): <v22.011<v22.011No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to Micro850/870 devices using firewall rules; block inbound traffic on CIP (port 2222) and Modbus (port 502) ports from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Micro850/870 firmware to version v22.011 or later

Long-term hardening

0/2

HARDENINGIsolate the PLC network from the business network using air gaps or demilitarized zones (DMZ); do not expose PLCs directly to the internet

HARDENINGIf remote access to the PLC is required, route all connections through a VPN with current security patches rather than exposing the device directly to the network

CVEs (1)

CVE-2024-7567

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a3b9d4c-4a69-4784-a066-8b0c240ed0b9