OTPulse

Rockwell Automation ControlLogix

Plan PatchCVSS 7.5ICS-CERT ICSA-24-284-20Oct 10, 2024
Rockwell Automation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Rockwell Automation ControlLogix and CompactLogix controllers allows an attacker to send a specially crafted CIP (Common Industrial Protocol) message and cause the PLC to become unresponsive, resulting in a denial-of-service condition. The vulnerability affects ControlLogix 5580 Process, ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, CompactLogix 5480, Compact GuardLogix 5380 SIL 2, Compact GuardLogix 5380 SIL 3, and FactoryTalk Logix Echo in versions prior to the fixed releases. No special privileges or user interaction is required for exploitation.

What this means
What could happen
An attacker could send a specially crafted message to a ControlLogix or CompactLogix PLC and cause it to stop responding, halting production or safety-critical processes until the device is manually restarted.
Who's at risk
This affects water utilities, power generators, and chemical/manufacturing plants running Rockwell Automation ControlLogix or CompactLogix controllers. Any organization using ControlLogix 5580, CompactLogix 5380/5480, GuardLogix 5580, or FactoryTalk Logix Echo in versions before V33.017/V34.014/V35.013/V36.011 should prioritize assessment.
How it could be exploited
An attacker with network access to the PLC can send a malformed CIP (Common Industrial Protocol) message that triggers a denial-of-service condition on the controller, causing it to become unresponsive.
Prerequisites
  • Network access to the PLC on port 2222 (Ethernet/IP) or direct CIP connectivity
  • No authentication required to send CIP messages
remotely exploitableno authentication requiredlow complexityaffects safety systems (GuardLogix variants)causes denial of service to critical equipment
Exploitability
Unlikely to be exploited — EPSS score 0.6%
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
ControlLogix 5580 Process: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
Compact GuardLogix 5380 SIL 2: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
ControlLogix 5580: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
GuardLogix 5580: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
CompactLogix 5380: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
Compact GuardLogix 5380 SIL 3: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
CompactLogix 5480: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
FactoryTalk Logix Echo: <V33.017_V34.014_V35.013_V36.011<V33.017 V34.014 V35.013 V36.011V33.017, V34.014, V35.013, V36.011+
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGIsolate PLC networks behind firewalls and deny inbound access from untrusted networks
HARDENINGRestrict network access to the PLC to only authorized engineering workstations and control systems
HARDENINGDisable or restrict access to Ethernet/IP ports (typically 2222) at the network boundary if remote access is not required
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ControlLogix 5580 Process to V33.017 or later, ControlLogix 5580 to V34.014 or later, GuardLogix 5580 to V35.013 or later, or other affected models to their respective fixed versions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/58c456fa-16eb-4e94-9c82-717ba47ab47b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.