Loading

PN1564 | DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products

Severity:
Critical
Advisory ID:
PN1564
Date de publication:
April 28, 2021
Date de la dernière mise à jour:
April 28, 2021
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2016-20009
Résumé
DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 26, 2021. Initial release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.

Executive Summary

On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.

Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview  within the Knoweldgebase.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.

Affected Products

Product Family Catalogs Affected Versions
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR All versions.
CompactLogix 5370 1769-L1y
1769-L2y
1769-L3y
All versions prior to v30.
1769-L3yS All versions prior to v30, excluding v28.015
ControlLogix® 5580 1756-L8 All versions prior to v30.
CompactLogix 5380 5069-L3 All versions prior to v30.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TK/D
1756-EN2TXT/D
1756-EN2F/C
1756-EN2FK/C
1756-EN2TR/C
1756-EN2TRK/C
1756-EN2TRXT/C
1756-EN3TR/B
1756-EN3TRK/B
1756-EN2TPK/A
1756-EN2TPXT/A
All versions prior to v11.001.
1756-EN2TP/A All versions prior to v10.020.

Note: GuardLogix® 5580 and Compact GuardLogix® 5380 are not affected by this vulnerability.

Vulnerability Details

CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.

CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Family Catalogs Suggested Actions
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR Will not be patched. Suggested action is to migrate to the 5069-AENTR.
CompactLogix 5370 1769-L1y
1769-L2y
1769-L3y
Apply v30 or later.
1769-L3yS Apply v28.015 or v30 or later
ControlLogix® 5580 1756-L8 Apply v30 or later.
CompactLogix 5380 5069-L3
Apply v30 or later.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TK/D
1756-EN2TXT/D
1756-EN2F/C
1756-EN2FK/C
1756-EN2TR/C
1756-EN2TRK/C
1756-EN2TRXT/C
1756-EN3TR/B
1756-EN3TRK/B
1756-EN2TPK/A
1756-EN2TPXT/A
Apply v11.001 or later.
1756-EN2TP/A Apply v10.020 or later.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS
  • PN1354 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • CVE-2016-20009

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rõôckwéêll Æýýtõômåätíîõôn Hõôméê Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre politique de confidentialité
CloseClose