Rockwell Automation ControlLogix, GuardLogix 5580, CompactLogix, and Compact GuardLogix 5380
Plan Patch8.6ICS-CERT ICSA-24-226-10Aug 13, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A input validation vulnerability in Rockwell Automation ControlLogix 5580, GuardLogix 5580, CompactLogix 5380/5480, and Compact GuardLogix 5380 controllers allows an attacker to crash the device by sending a malformed CIP (Common Industrial Protocol) message. The device fails to properly validate the input, resulting in a denial of service condition. Successful exploitation causes the controller to stop executing logic, interrupting production processes. The vulnerability affects devices running firmware versions prior to v36.011, v35.013, or v34.014. No public exploitation has been reported, but the attack requires only network access and no credentials.
What this means
What could happen
An attacker could crash a CompactLogix, ControlLogix, GuardLogix, or Compact GuardLogix controller by sending a specially crafted message, causing process interruption and requiring a manual restart of the device.
Who's at risk
Manufacturing and process industries using Rockwell Automation CompactLogix 5380/5480, ControlLogix 5580, GuardLogix 5580, and Compact GuardLogix 5380 controllers for machine logic, process automation, and safety-critical functions should assess exposure. This includes automotive plants, food and beverage processing, chemical facilities, water treatment, and power generation sites.
How it could be exploited
An attacker with network access to the controller can send a malformed input to the device on port 44818 (EtherNet/IP). The device fails to properly validate the CIP (Common Industrial Protocol) message, triggering a crash that results in a denial of service.
Prerequisites
- Network access to the controller on port 44818 (EtherNet/IP)
- No credentials required
- Device must be running firmware version prior to v36.011/v35.013/v34.014
remotely exploitableno authentication requiredlow complexityaffects safety systems (GuardLogix)no patch available
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (5)
5 pending
ProductAffected VersionsFix Status
CompactLogix 5380 (5069 - L3z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet
CompactLogix 5480 (5069 - L4): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet
ControlLogix 5580 (1756 - L8z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet
GuardLogix 5580 (1756 - L8z): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet
Compact GuardLogix 5380 (5069 - L3zS2): <v36.011_v35.013_v34.014<v36.011 v35.013 v34.014No fix yet
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to CIP object 103 (0x67) at the firewall to only authorized engineering workstations and PLCs
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected controllers to firmware v36.011 (for CompactLogix/ControlLogix 5880), v35.013, or v34.014 or later
Long-term hardening
0/2HARDENINGIsolate controller networks from business network and internet; ensure controllers are not remotely accessible from outside your facility
HARDENINGIf remote access is required, use a VPN with current security patches; implement network segmentation between corporate and control system networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/802f5484-257a-42ff-b288-568ecaebab04