Rockwell Automation Logix Controllers
Plan PatchCVSS 8.6ICS-CERT ICSA-24-284-18Oct 10, 2024
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Rockwell Automation Logix controllers (CompactLogix 5380/5480, ControlLogix 5580, GuardLogix 5380/5580, and 1756-EN4TR modules) contain a resource exhaustion vulnerability in their network packet handling. Affected firmware versions include CompactLogix/ControlLogix/GuardLogix v33.011 through v33.014, and 1756-EN4TR v3.002. An attacker with network access can send malformed packets to trigger a denial-of-service condition, causing the controller to stop responding to legitimate traffic and halting controlled industrial processes until the device is restarted.
What this means
What could happen
An attacker with network access to a Rockwell CompactLogix, ControlLogix, or GuardLogix controller running vulnerable firmware can send crafted network packets to stop the controller from responding, halting whatever process it controls—from pump operations to motor speeds to safety logic.
Who's at risk
Water authorities and municipal utilities running Rockwell Automation CompactLogix, ControlLogix, or GuardLogix PLCs (5000-series and 5500-series controllers) and their associated 1756-EN4TR Ethernet modules should assess whether they are running vulnerable firmware. These devices are commonly used to control pumps, motors, valves, and safety systems in water treatment plants and electrical distribution networks.
How it could be exploited
An attacker sends specially crafted network packets to the controller's network interface (likely exploiting a resource exhaustion flaw in the packet handling code). The controller becomes unable to process legitimate requests and stops responding until restarted, disrupting industrial processes.
Prerequisites
- Network access (direct or routed) to the controller's Ethernet port
- Controller running vulnerable firmware version (33.011 through 33.014 for CompactLogix/ControlLogix/GuardLogix 5000/5500 series, or 1756-EN4TR v3.002)
- No credentials or authentication required
Remotely exploitable over EthernetNo authentication requiredLow attack complexityCauses denial of service to critical industrial processVendor patches available but require maintenance downtime
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
CompactLogix 5380: >v33.011|<v33.015>v33.011|<v33.01533.015+ for versions 33
Compact GuardLogix 5380: >v33.011|<v33.015>v33.011|<v33.01533.015+ for versions 33
CompactLogix 5480: >v33.011|<v33.015>v33.011|<v33.01533.015+ for versions 33
ControlLogix 5580: >v33.011|<v33.015>v33.011|<v33.01533.015+ for versions 33
GuardLogix 5580: >v33.011|<v33.015>v33.011|<v33.01533.015+ for versions 33
1756-EN4TR: v3.002v3.0024.001+
Remediation & Mitigation
0/8
Do now
0/1HARDENINGRestrict network access to Logix controllers: place them behind a firewall, use network segmentation, and disable unnecessary exposed ports
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate CompactLogix 5380 to firmware version 33.015 or later (or 34.011 and later)
HOTFIXUpdate Compact GuardLogix 5380 to firmware version 33.015 or later (or 34.011 and later)
HOTFIXUpdate CompactLogix 5480 to firmware version 33.015 or later (or 34.011 and later)
HOTFIXUpdate ControlLogix 5580 to firmware version 33.015 or later (or 34.011 and later)
HOTFIXUpdate GuardLogix 5580 to firmware version 33.015 or later (or 34.011 and later)
HOTFIXUpdate 1756-EN4TR network module to firmware version 4.001 or later
Long-term hardening
0/1HARDENINGIsolate control system networks from business networks and ensure controllers are not directly accessible from the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a491fee3-754b-4ed3-9e30-91ff1d7566b8Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.