Rockwell Automation Logix Controllers
Plan Patch8.6ICS-CERT ICSA-24-284-18Oct 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A resource exhaustion vulnerability (CWE-400) in Rockwell Automation Logix controllers allows remote denial-of-service attacks via malformed network packets. Affected devices include CompactLogix 5380/5480, Compact GuardLogix 5380, ControlLogix 5580, GuardLogix 5580, and 1756-EN4TR EtherNet/IP modules. Firmware versions between v33.011 and v33.014 (or v3.002 for the 1756-EN4TR) are vulnerable. Exploitation requires only network access—no credentials or authentication are needed. A successful attack causes the controller to become unresponsive, requiring manual intervention to restore operations.
What this means
What could happen
An attacker could send specially crafted network traffic to cause a denial-of-service condition on affected Logix controllers, stopping normal process operations until the device is rebooted or the network connection is restored.
Who's at risk
Manufacturers and utilities operating Rockwell Automation Logix-family controllers should prioritize patching. This affects CompactLogix 5380/5480, Compact GuardLogix 5380, ControlLogix 5580, GuardLogix 5580 (safety-rated version), and 1756-EN4TR EtherNet/IP modules used in manufacturing, water/wastewater systems, power distribution, and other continuous process environments.
How it could be exploited
An attacker on the network sends malicious network packets to port 2222 (EtherNet/IP) or the configured port on a vulnerable Logix controller. The device processes these packets incorrectly, consuming resources or becoming unresponsive, causing operations to halt.
Prerequisites
- Network access to the Logix controller (direct or via adjacent network segment)
- Controller running vulnerable firmware version (v33.011-v33.014 for most models, or v3.002 for 1756-EN4TR)
- No authentication required to send malicious packets
remotely exploitableno authentication requiredlow complexitynetwork-accessible controllers at riskaffects industrial control operationsaffects safety-rated systems (GuardLogix models)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
CompactLogix 5380: >v33.011|<v33.015>v33.011|<v33.01533.015 and later for versions 33
Compact GuardLogix 5380: >v33.011|<v33.015>v33.011|<v33.01533.015 and later for versions 33
CompactLogix 5480: >v33.011|<v33.015>v33.011|<v33.01533.015 and later for versions 33
ControlLogix 5580: >v33.011|<v33.015>v33.011|<v33.01533.015 and later for versions 33
GuardLogix 5580: >v33.011|<v33.015>v33.011|<v33.01533.015 and later for versions 33
1756-EN4TR: v3.002v3.0024.001 and later
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDImplement network firewall rules to restrict EtherNet/IP traffic (port 2222 UDP/TCP) to authorized workstations and engineering devices only
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate CompactLogix 5380 to firmware v33.015 or later (v33 branch) or v34.011 and later
HOTFIXUpdate Compact GuardLogix 5380 to firmware v33.015 or later (v33 branch) or v34.011 and later
HOTFIXUpdate CompactLogix 5480 to firmware v33.015 or later (v33 branch) or v34.011 and later
HOTFIXUpdate ControlLogix 5580 to firmware v33.015 or later (v33 branch) or v34.011 and later
HOTFIXUpdate GuardLogix 5580 to firmware v33.015 or later (v33 branch) or v34.011 and later
HOTFIXUpdate 1756-EN4TR module to firmware v4.001 or later
Long-term hardening
0/2HARDENINGIsolate Logix controller networks from the business network and internet using firewalls and network segmentation
HARDENINGDisable unnecessary network services on Logix controllers and adjacent infrastructure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a491fee3-754b-4ed3-9e30-91ff1d7566b8