Rockwell Automation ControlLogix, GuardLogix 5580, CompactLogix, and Compact GuardLogix 5380

Plan PatchCVSS 8.6ICS-CERT ICSA-24-226-10Aug 13, 2024

Rockwell Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A input validation vulnerability in Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380/5480, and Compact GuardLogix 5380 controllers allows an attacker to crash the device by sending a malformed CIP (Common Industrial Protocol) message. The device fails to properly validate the input, resulting in a denial of service condition. Successful exploitation causes the controller to stop executing logic, interrupting production processes. The vulnerability affects devices running firmware versions prior to v36.011, v35.013, or v34.014. No public exploitation has been reported, but the attack requires only network access and no credentials.

What this means

What could happen

An attacker could crash a CompactLogix, ControlLogix, GuardLogix, or Compact GuardLogix controller by sending a specially crafted message, causing process interruption and requiring a manual restart of the device.

Who's at risk

Manufacturing and process industries using Rockwell Automation CompactLogix 5380/5480, ControlLogix 5580, GuardLogix 5580, and Compact GuardLogix 5380 controllers for machine logic, process automation, and safety-critical functions should assess exposure. This includes automotive plants, food and beverage processing, chemical facilities, water treatment, and power generation sites.

How it could be exploited

An attacker with network access to the controller can send a malformed input to the device on port 44818 (EtherNet/IP). The device fails to properly validate the CIP (Common Industrial Protocol) message, triggering a crash that results in a denial of service.

Prerequisites

Network access to the controller on port 44818 (EtherNet/IP)
No credentials required
Device must be running firmware version prior to v36.011/v35.013/v34.014

remotely exploitableno authentication requiredlow complexityaffects safety systems (GuardLogix)no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (5)

5 pending

ProductAffected VersionsFix Status

CompactLogix 5380 (5069 - L3z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet

CompactLogix 5480 (5069 - L4): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet

ControlLogix 5580 (1756 - L8z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet

GuardLogix 5580 (1756 - L8z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet

Compact GuardLogix 5380 (5069 - L3zS2): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to CIP object 103 (0x67) at the firewall to only authorized engineering workstations and PLCs

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected controllers to firmware v36.011 (for CompactLogix/ControlLogix 5880), v35.013, or v34.014 or later

Long-term hardening

0/2

HARDENINGIsolate controller networks from business network and internet; ensure controllers are not remotely accessible from outside your facility

HARDENINGIf remote access is required, use a VPN with current security patches; implement network segmentation between corporate and control system networks

CVEs (1)

CVE-2024-7515

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/802f5484-257a-42ff-b288-568ecaebab04

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.