Version 1.2 / May 18, 2020 - Updated release product and corrected product version information.
Version 1.1 / July 12, 2018 - Updated product version informtion.
Version 1.0 / June 21, 2019 - Initial Release
A vulnerability exists in certain CompactLogix™ 5370 and Compact GuardLogix® 5370 programmable automation controllers that, if successfully exploited, may cause a Denial of Service (DoS) condition. These products are used to control processes across several industries, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation® has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.
Specific details of this vulnerability were disclosed publicly by researchers presenting at the ICS Cyber Security Conference in Singapore on April 25, 2018. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
- CompactLogix 5370 L1 controllers, versions 30.014 and earlier, excluding version 28.015
- CompactLogix 5370 L2 controllers, versions 30.014 and earlier, excluding version 28.015
- CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
- Armor CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
- Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
- Armor Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
Vulnerability Details
This vulnerability may allow threat actor to intentionally send a specific TCP packet to the product and cause a Major Non-Recoverable Fault (MNRF) resulting in a Denial of Service (DoS) condition. An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation.
Alexey Perepechko of Applied Risk discovered this vulnerability in the 1769 Compact GuardLogix 5370 controllers. Rockwell Automation further investigated and discovered additional products affected by this vulnerability and they are included in this advisory.This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.
COMPACT GUARDLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a Compact GuardLogix controller, the safety task execution stops and CIP Safety I/O modules are placed into their safe state. All other I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.
COMPACTLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.
CVE-2017-9312 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (CVSS) v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.
Risk Mitigation & User Action
| Product Type | Product Family | Catalog Numbers | Suggested Actions | 
| Small Controllers | CompactLogix 5370 L1 CompactLogix 5370 L2 CompactLogix 5370 L3 Armor CompactLogix 5370 L3 | 1769-L16ER-BB1B 1769-L18ER-BB1B 1769-L18ERM-BB1B 1769-L19ER-BB1B 1769-L24ER-QB1B 1769-L24ER-QBFC1B 1769-L27ER-QBFC1B 1769-L30ER 1769-L30ER-NSE 1769-L30ERM 1769-L33ER 1769-L33ERM 1769-L36ERM 1769-L37ERMO | Apply FRN 28.015 or apply 31.011 or later. | 
| Safety Controllers | Compact GuardLogix 5370 Armor Compact GuardLogix 5370 L3 | 1769-L30ERMS 1769-L33ERMS 1769-L36ERMS 1769-L37ERMS 1769-L38ERMS 1769-L33ERMOS 1769-L36ERMOS | Apply FRN 28.015 or apply 31.011 or later. | 
Note: For 1769-L33ERMOS and 1769-L36ERMOS, apply firmware for 1769-L33ERMS and 1769-L36ERMS respectively.
General Security Guidelines
- Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.