Rockwell Automation ControlLogix, GuardLogix 5580, CompactLogix, Compact GuardLogix 5380

Plan Patch7.5ICS-CERT ICSA-24-226-09Aug 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, and Compact GuardLogix 5380 controllers. The vulnerability is triggered by improper validation of CIP (Common Industrial Protocol) messages sent to object 103 (0x67). An attacker with network access can cause the device to crash and become unresponsive. The vulnerability affects controllers with firmware versions below v36.011, v35.013, and v34.014 depending on the product line.

What this means

What could happen

An attacker could cause a denial-of-service condition on affected programmable logic controllers, interrupting production and process control until the device is rebooted or recovered.

Who's at risk

Manufacturing facilities, water treatment plants, electric utilities, and chemical processing operations using Rockwell Automation ControlLogix, GuardLogix 5580, CompactLogix, or Compact GuardLogix 5380 programmable logic controllers. Safety-rated systems using GuardLogix and Compact GuardLogix products are also affected.

How it could be exploited

An attacker with network access to the device sends a specially crafted CIP (Common Industrial Protocol) message to object 103 (0x67) on the PLC. The device fails to properly validate the message, crashes, and becomes unresponsive to control commands.

Prerequisites

Network reachability to the PLC on the CIP port (typically UDP 2222 or TCP 44818)
No authentication required to send CIP messages

remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

CompactLogix 5380 (5069 - L3z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014v36.011_v35.013_v34.014 or later

CompactLogix 5480 (5069 - L4): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014v36.011_v35.013_v34.014 or later

ControlLogix 5580 (1756 - L8z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014v36.011_v35.013_v34.014 or later

GuardLogix 5580 (1756 - L8z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014v36.011_v35.013_v34.014 or later

Compact GuardLogix 5380 (5069 - L3zS2): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014v36.011_v35.013_v34.014 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to CIP object 103 (0x67) using firewall or network ACL rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to v36.011, v35.013, or v34.014 or later depending on product series

Long-term hardening

0/2

HARDENINGIsolate control system network from business network and internet using firewalls and network segmentation

HARDENINGMinimize direct internet exposure of all PLCs; use VPN for any required remote access

CVEs (1)

CVE-2024-7507

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d937035c-fe2f-412e-8669-1ce5365f34db