Rockwell Automation ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix 5380

Plan Patch7.5ICS-CERT ICSA-24-256-18Sep 12, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An input validation flaw in CIP (Common Industrial Protocol) handling on Rockwell Automation ControlLogix 5580, CompactLogix 5380/5480, and GuardLogix 5580 PLCs allows remote attackers to cause a device denial of service by sending a specially crafted CIP packet. The vulnerability affects these devices only when CIP security is enabled. Successful exploitation causes the PLC to become unresponsive and requires a factory reset to recover operations. The flaw is present in ControlLogix 5580 v32.011, CompactLogix 5380 v32.011, CompactLogix 5380 Process v33.011, Compact GuardLogix 5380 SIL 2 v32.013, Compact GuardLogix 5380 SIL 3 v32.011, CompactLogix 5480 v32.011, GuardLogix 5580 v32.011, and 1756-EN4 v2.001.

What this means

What could happen

Successful exploitation can render ControlLogix or CompactLogix PLCs unavailable, requiring a factory reset to restore operations. This creates unplanned downtime in critical processes like water treatment or power distribution.

Who's at risk

Water authorities and utilities operating Rockwell Automation ControlLogix 5580, CompactLogix 5380/5480, GuardLogix 5580, and CompactLogix 5380 Process PLCs are affected. This includes safety-critical systems using Compact GuardLogix 5380 and GuardLogix 5580 SIL ratings. Also affected are networked 1756-EN4 Ethernet adapters connecting these controllers.

How it could be exploited

An attacker with network access to the PLC can send a specially crafted CIP (Common Industrial Protocol) packet that triggers an input validation flaw, causing the device to crash or hang. The attack requires no authentication or user interaction.

Prerequisites

Network access to the PLC on the industrial protocol port (CIP, typically UDP/TCP port 2222 or Ethernet/IP)
CIP security feature must be enabled on the device (default configuration varies; check your device settings)

Remotely exploitable over the networkNo authentication requiredLow attack complexityAffects safety-rated controllers (GuardLogix SIL 2/3)No patch available for currently deployed versionsCauses denial of service to critical control systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

CompactLogix 5380 Process: v.33.011v.33.011v33.017 or later

ControlLogix 5580 Process: v.33.011v.33.011v33.017 or later

CompactLogix 5380: v.32.011v.32.011v33.017 or later

Compact GuardLogix 5380 SIL 2: v.32.013v.32.013v33.017 or later

Compact GuardLogix 5380 SIL 3: v.32.011v.32.011v33.017 or later

CompactLogix 5480: v.32.011v.32.011v33.017 or later

ControlLogix 5580: v.32.011v.32.011v33.017 or later

GuardLogix 5580: v.32.011v.32.011v33.017 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable CIP security feature on devices that cannot be patched, per Rockwell Automation CIP Security guidance (SECURE-AT001)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to patched firmware versions: CompactLogix 5380/5480 to v33.017 or later; ControlLogix 5580 to v33.017 or later; 1756-EN4 to v6.001 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation: isolate PLC networks from business network and internet; restrict inbound CIP traffic to trusted engineering workstations only

HARDENINGFor remote access requirements, enforce VPN with MFA and keep VPN appliances fully patched

CVEs (1)

CVE-2024-6077

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a2a8a9e-1705-4a9c-95ef-41e63255cbc3