OTPulse

Rockwell Automation ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix 5380

Plan PatchCVSS 7.5ICS-CERT ICSA-24-256-18Sep 12, 2024
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial-of-service vulnerability exists in Rockwell Automation ControlLogix and CompactLogix programmable logic controllers (PLCs) when CIP Security is enabled. An attacker can send a malicious CIP security message over the network, causing the controller to become unresponsive and require a factory reset to restore operation. Affected products include CompactLogix 5380/5480, ControlLogix 5580, GuardLogix 5580, Compact GuardLogix 5380 (SIL 2/3), and the 1756-EN4 EtherNet/IP adapter card. The vulnerability is caused by improper validation of CIP security packets (CWE-20).

What this means
What could happen
A denial-of-service flaw in ControlLogix and CompactLogix controllers can make the device unresponsive and require a factory reset to recover. This stops automation processes until the controller is restored, disrupting water treatment, power distribution, or other critical industrial operations.
Who's at risk
Water treatment facilities, municipal electric utilities, manufacturing plants, and other organizations running Rockwell Automation ControlLogix 5580, CompactLogix 5380/5480, GuardLogix 5580, or Compact GuardLogix 5380 controllers with CIP Security enabled are affected. The 1756-EN4 EtherNet/IP adapter card is also vulnerable when used in these controller families.
How it could be exploited
An attacker with network access to the controller can send a specially crafted CIP (Common Industrial Protocol) security message that triggers a denial of service condition. The device becomes unresponsive and must be physically recovered via factory reset.
Prerequisites
  • Network access to EtherNet/IP port 2222 (default CIP port) or port 44818 (alternate CIP security port)
  • CIP Security feature must be enabled on the target device (enabled by default on affected versions)
  • No authentication required to send a malicious CIP packet
Remotely exploitable without authenticationLow attack complexity—attacker only needs to send a malformed CIP packetCauses complete loss of device availability requiring factory resetDefault-enabled feature (CIP Security) means most deployed systems are vulnerable out-of-the-boxNo active public exploitation reported, but CVSS 7.5 indicates high impact
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
CompactLogix 5380 Process: v.33.011v.33.011v33.017+
ControlLogix 5580 Process: v.33.011v.33.011v33.017+
CompactLogix 5380: v.32.011v.32.011v33.017+
Compact GuardLogix 5380 SIL 2: v.32.013v.32.013v33.017+
Compact GuardLogix 5380 SIL 3: v.32.011v.32.011v33.017+
CompactLogix 5480: v.32.011v.32.011v33.017+
ControlLogix 5580: v.32.011v.32.011v33.017+
GuardLogix 5580: v.32.011v.32.011v33.017+
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDDisable CIP Security on devices if immediate patching is not feasible, using the procedure in Rockwell Automation publication SECURE-AT001 Chapter 2
HARDENINGRestrict network access to EtherNet/IP ports (2222, 44818) to only authorized engineering and automation networks using firewalls or ACLs
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CompactLogix 5380, 5480, and ControlLogix 5580 controllers to firmware version 33.017 or later (e.g., v34.014, v35.013, v36.011)
HOTFIXUpdate Compact GuardLogix 5380 SIL 2/SIL 3 and GuardLogix 5580 to firmware version 33.017 or later
HOTFIXUpdate 1756-EN4 EtherNet/IP adapter card to firmware version 6.001 or later
Long-term hardening
0/1
HARDENINGIsolate automation control networks from business/internet-facing networks using network segmentation
View full CISA ICS-CERT advisory
API: /api/v1/advisories/3a2a8a9e-1705-4a9c-95ef-41e63255cbc3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.