Rockwell Automation ControlLogix
Plan Patch7.5ICS-CERT ICSA-24-284-20Oct 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A specially crafted CIP message sent to Rockwell Automation ControlLogix, GuardLogix, CompactLogix, and FactoryTalk Logix Echo controllers running firmware versions below V33.017, V34.014, V35.013, or V36.011 can trigger a denial-of-service condition. The controllers fail to validate the message format, crash, and stop responding to control commands. The vulnerability is caused by improper input validation of CIP protocol messages.
What this means
What could happen
An attacker with network access to a Rockwell ControlLogix, GuardLogix, CompactLogix, or FactoryTalk Logix Echo controller can send a malformed message that crashes the controller, causing it to stop processing control logic and halt production until it is manually restarted.
Who's at risk
Water authorities and municipal utilities operating Rockwell ControlLogix, GuardLogix, or CompactLogix platforms for process control should care. This includes wastewater treatment operators, water distribution pump controllers, electrical generation and distribution control systems, and any facility using FactoryTalk Logix Echo for engineering or automation logic.
How it could be exploited
An attacker on the network sends a specially crafted CIP (Common Industrial Protocol) message to the controller. The device fails to properly validate the message format, crashes, and becomes unresponsive. The attacker does not need credentials or special tools—just network reachability to the controller's port.
Prerequisites
- Network access to the controller on port 44818 (EtherNet/IP CIP)
- No credentials or authentication required
- Controller must be running a vulnerable firmware version (below V33.017/V34.014/V35.013/V36.011)
Remotely exploitableNo authentication requiredLow attack complexityNo patch available for older firmware branchesAffects safety-critical systems (GuardLogix SIL-rated variants)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
ControlLogix 5580 Process: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
Compact GuardLogix 5380 SIL 2: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
ControlLogix 5580: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
GuardLogix 5580: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
CompactLogix 5380: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
Compact GuardLogix 5380 SIL 3: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
CompactLogix 5480: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
FactoryTalk Logix Echo: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011 or later
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to controllers using firewall rules; block inbound CIP traffic (port 44818/TCP) from untrusted networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, Compact GuardLogix 5380, and FactoryTalk Logix Echo to firmware version V33.017, V34.014, V35.013, or V36.011 or later
Long-term hardening
0/2HARDENINGIsolate control system networks from business networks using air gaps or routed firewalls to prevent lateral movement from IT infrastructure
HARDENINGDisable internet accessibility to all controllers and engineering devices; use VPNs only for required remote access and keep VPN software updated
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/58c456fa-16eb-4e94-9c82-717ba47ab47b